Back to skill
Skillv1.0.1
ClawScan security
Haah: Ask your trusted circle. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 19, 2026, 2:35 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions broadly match its stated purpose (dispatching queries to a trusted circle), but documentation inconsistencies, unclear origins, and several privacy/exfiltration risks (local key storage, automatic message-marking-as-read, optional file attachments that are sent/extracted) make this package worth closer review before install.
- Guidance
- This skill appears to do what it says (ask your circle and collect answers) but there are several things to check before installing: - Confirm the canonical source: the registry metadata lists no homepage but README points to a GitHub raw URL—verify that URL and prefer installing from the official repository or a package registry you trust. - API/version mismatch: SKILL.md and README reference different API bases/versions (v6 vs v5) and different endpoints (GET /counts vs GET /heartbeat). Ask the maintainer to clarify the correct endpoints and version before use. - Protect your key: the workflow requires a 64-character bearer key stored in kyp/haah/haahconfig.yml. Treat this as a secret—do not commit it to git, store it in an encrypted secret store if possible, and restrict file permissions. - Watch for data exfiltration: the skill can attach and send local files (PDF/MD/text) whose contents are extracted and transmitted to recipients' agents. Only dispatch files you are comfortable sharing externally and confirm with the human before sending. - Cross-skill reads: Haah may read local contact/state from other skills (Peeps, Pages, etc.). Ensure you understand what local data will be accessed and that those skills' data are appropriate to share. - Test first in a sandbox: run the skill in a controlled environment (no sensitive keys or files) until you verify the endpoints, behavior, and expected network traffic. If the maintainer can provide a clear, single canonical source, consistent API docs, and explicit notes about what local files/data are read and what is transmitted on dispatch, my concerns would be reduced.
Review Dimensions
- Purpose & Capability
- noteThe name/description (broadcast questions to a circle and receive answers) aligns with the runtime instructions (POST /dispatch, GET /messages, /counts, etc.). However there are documentation mismatches (README references api.haah.ing/v5 and GET /heartbeat; SKILL.md references api.haah.ing/v6 and GET /counts /messages) and the registry lists source/homepage as unknown while the README points to a GitHub raw URL—this inconsistency should be resolved.
- Instruction Scope
- concernThe SKILL.md instructs the agent to read/write workspace files (kyp/haah/haahconfig.yml, haah_circles.yml, haah_dms.yml) and to add a Haah section to HEARTBEAT.md (with permission). It also instructs the agent to consult other local skills (e.g., Peeps) before dispatching and to optionally attach/send local files (PDF/MD/plain text) whose text will be extracted and transmitted to recipients. Those file-attachment and cross-skill data-access behaviors can result in sensitive data being transmitted to external servers; the skill does not declare or limit that scope in meta. The automatic marking-as-read when fetching messages is a side effect users should be aware of.
- Install Mechanism
- okThere is no install spec and no code files; this is an instruction-only skill (lowest installation risk). The README suggests a curl from a GitHub raw URL for manual install, which is a common pattern, but registry metadata says source unknown—confirm the canonical source before using that curl command.
- Credentials
- noteThe skill requests no environment variables or credentials via the registry, but it requires the user to obtain a 64‑char hex key from haah.ing and store it locally in kyp/haah/haahconfig.yml. Storing a bearer key in a workspace file (not encrypted) can lead to accidental disclosure (e.g., git commits). The instructions also imply reading other local skill state (Peeps), which is not declared in requires.config and therefore deserves explicit user consent.
- Persistence & Privilege
- okalways:false and no installs that modify other skills or system-wide settings are present. The skill expects to run on a regular heartbeat (cron or HEARTBEAT.md) but does not request permanent registry-level privileges. Still, periodic autonomous network calls mean it will contact external servers routinely when enabled.