Back to skill
Skillv1.0.14
ClawScan security
Facebook API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 4:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it wraps a third‑party agntdata Facebook proxy API, requires a single AGNTDATA_API_KEY and curl, and its instructions operate only against the agntdata endpoints.
- Guidance
- This skill is coherent with its description, but it acts as a third‑party proxy (api.agntdata.dev) for Facebook data—verify you trust that provider before supplying your AGNTDATA_API_KEY. Do not include sensitive or personally identifying details in the one‑time `useCase` registration payload. Confirm billing/pricing and privacy terms on the agntdata site, and avoid sharing Facebook user passwords (only provide the agntdata API key). If you plan to install the suggested plugin, review its code/permissions separately. Rotate the API key if you suspect it has been exposed.
Review Dimensions
- Purpose & Capability
- okName/description claim a single-credential wrapper for Facebook data; declared requirement (AGNTDATA_API_KEY) and required binary (curl) match that purpose. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md instructs the agent to call agntdata.dev endpoints (including a one-time registration POST that sends a short `useCase` description). All network calls are to the documented third-party API and are within the described purpose. Note: the registration step will transmit the user-provided `useCase` string to the provider—do not include sensitive information in that field.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. Lowest-risk install posture for this type of integration.
- Credentials
- okOnly a single API key (AGNTDATA_API_KEY) is required and declared as the primary credential. This is proportionate for a hosted API proxy service. The SKILL.md does not request other environment variables or unrelated secrets.
- Persistence & Privilege
- okSkill does not request always:true and is user-invocable only. It does not modify other skills or system-wide configuration. Default agent invocation is allowed (normal for skills) but not elevated here.