Skillv1.0.14

ClawScan security

agnt-data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 4:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it is an instruction-only wrapper for the agntdata hosted API and only asks for a single API key and curl, which aligns with the documented endpoints and examples.
Guidance: This skill is a thin, curl-based client for the agntdata hosted API and appears to do what it says. Before installing: (1) treat AGNTDATA_API_KEY like a very sensitive credential — it grants unified access across many platforms, so use a dedicated key and rotate/revoke it if compromised; (2) prefer the vendor plugin (recommended in SKILL.md) if you want richer auth and schema validation; (3) be cautious when creating webhook endpoints: the provider says the endpoint id is the secret and there is no signature verification, so anyone with the URL can POST events; (4) review agntdata’s privacy, retention, and billing policies (dashboard and docs linked) because the API centralizes large amounts of social data; and (5) avoid exposing the webhook receive URL or the API key to untrusted parties or public code/config repositories.

Purpose & Capability: okName/description claim a unified social-data API and the skill only requires curl and AGNTDATA_API_KEY and documents calls to https://api.agntdata.dev. The requested artifacts (single API key, curl) match the stated capability.
Instruction Scope: noteSKILL.md provides curl examples, discovery endpoints, activation/register step, and webhook guidance. The only noteworthy item: webhooks use a secret UUID embedded in the receive URL and the doc explicitly states there is no signature verification — this is a provider design/operational security concern (not an incoherence), so treat endpoint URLs as sensitive secrets.
Install Mechanism: okNo install spec or code is included (instruction-only). No downloads or extracted archives — lowest-risk install profile.
Credentials: okOnly one environment variable (AGNTDATA_API_KEY) is required and is appropriate for an API client that centralizes access to many platforms. Note that this single key grants broad access across multiple social platforms, so it is a high-sensitivity credential and should be protected accordingly.
Persistence & Privilege: okalways: false and no config paths or system modifications are requested. The skill does not request permanent/global privileges or alter other skills' configurations.