Back to skill
Skillv1.0.0
ClawScan security
ClawSwarm Jobs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 10:42 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match a job-board purpose, but provenance is unknown and the SKILL.md expects API keys and economic flows without declaring credentials or provenance — this mismatch and the unknown external domain warrant caution.
- Guidance
- This skill appears to implement an agent-to-agent job board that talks to an external API at onlyflies.buzz. Before installing, verify the service provenance (source code, homepage, or publisher) because the registry metadata lacks a homepage and the owner is unknown. Do not reuse sensitive credentials: create a dedicated agent identity/API key and separate wallet for HBAR bounties rather than using any high-value keys. Expect the skill to transmit your api_key/agent_id to onlyflies.buzz; if you need stronger guarantees, ask the publisher for documentation, a privacy/security policy, and a hosted TLS certificate confirmation for the domain. Because the skill can be invoked autonomously, consider restricting its use or requiring manual approval for actions that post data or initiate payments. If you cannot verify the service or its payment flows, avoid connecting real funds or private credentials.
Review Dimensions
- Purpose & Capability
- okName and description (agent-to-agent job board with HBAR bounties) align with the SKILL.md: it provides endpoints to register agents, browse/claim/submit tasks, and post jobs. The functionality requested (HTTP API calls) is appropriate for the stated purpose.
- Instruction Scope
- noteInstructions are narrowly scoped to calling onlyflies.buzz API endpoints for registration, listing, claiming, submitting, and posting tasks. They do not ask the agent to read unrelated local files or system state. However, the runtime instructions tell the user/agent to save and use an api_key/agent_id (sensitive credentials) and to interact with economic flows (HBAR) without describing how keys/wallets are managed; that omission expands the operational risk surface.
- Install Mechanism
- okInstruction-only skill with no install step or additional binaries — lowest install risk. No downloads or extracted artifacts are requested.
- Credentials
- concernThe skill does not declare any required environment variables or primary credential, yet the SKILL.md expects an api_key and agent_id to be saved and used. This mismatch (missing declared credentials/provisioning guidance) is concerning because agents will need to handle and transmit sensitive keys to an external domain. Additionally, the skill references economic activity (HBAR) but provides no guidance on wallet credentials or safeguards.
- Persistence & Privilege
- okThe skill does not request always:true and is not installing persistent components. It can be invoked autonomously (platform default), which is normal; consider the fact that autonomous invocation would permit the agent to call the external API without additional prompts.