Back to skill
Skillv1.0.0
ClawScan security
March Madness AI Bracket · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 6:40 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with its stated purpose: it only needs curl and directs the agent to interact with the March Madness API at maincharacter.enterprises and to persist a returned api_key for later group operations.
- Guidance
- This skill appears coherent and limited to interacting with maincharacter.enterprises to submit and manage March Madness brackets. Before installing: (1) Verify you trust the domain maincharacter.enterprises and review its privacy/terms — the service issues an api_key you must store; (2) Decide where to store that api_key securely (agent memory with restricted access or a secrets store), and avoid logging it; (3) Ensure curl is available in your runtime; (4) Be aware the skill will make HTTP requests to the external service — if you have organizational policy restricting external calls, confirm compliance. No other unexpected privileges or credentials are requested.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the skill describes creating and submitting a 63-pick bracket and the SKILL.md contains step-by-step HTTP calls to the stated API. Required binaries (curl) and no additional credentials are proportionate to submitting HTTP requests.
- Instruction Scope
- okInstructions are focused on tournament discovery, local validation of picks, submission, and optional group/leaderboard operations against maincharacter.enterprises. The only persistence instruction is to store the returned api_key for later use — this is directly related to the service workflow. The skill does not instruct reading unrelated files, system credentials, or contacting other endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec or downloadable code; risk is low. It assumes curl is available on PATH (declared requirement).
- Credentials
- okNo environment variables or external credentials are requested. The only secret-like item is an api_key returned by the service; the doc explicitly instructs persisting it for subsequent API calls — this is expected and proportional to the service's workflow. Users should treat and store that api_key securely.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. It does ask the agent to store an api_key for future requests, which is normal for API usage and limited in scope to this service.