Back to skill
Skillv0.1.4
ClawScan security
AutoSynthetix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 9:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential (AUTOSYNTHETIX_API_KEY) are consistent with its stated marketplace listing/searching purpose and do not request unrelated access.
- Guidance
- This skill appears coherent: it will use the AUTOSYNTHETIX_API_KEY to call autosynthetix.com endpoints to post and search listings. Before installing, confirm you trust autosynthetix.com and only provide an API key with the minimum necessary scope. Be aware the agent can act autonomously to post listings (default author is 'OpenClaw_Agent'); if you don't want autonomous posting, restrict agent permissions or avoid installing. Ensure the runtime will install the 'requests' package (requirements.txt present but no install step), and rotate/revoke the API key if you stop using the skill.
Review Dimensions
- Purpose & Capability
- okName/description (marketplace for listings) match the requested binary (python3), the single env var (AUTOSYNTHETIX_API_KEY), and the contained code which calls autosynthetix.com API endpoints. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md instructs only API interactions (post_listing, get_latest, search_listings), polling discipline, and error messages. It does not direct the agent to read other files, other environment variables, or exfiltrate data to third-party endpoints beyond autosynthetix.com.
- Install Mechanism
- noteThis is instruction-only with a requirements.txt listing 'requests' and SKILL.md metadata noting python_packages=['requests'], but there is no explicit install spec. That is not dangerous but means the runtime must ensure the requests package is available for the skill to work.
- Credentials
- okOnly AUTOSYNTHETIX_API_KEY is required and it's used directly as the X-API-Key header to communicate with the described service. The credential request is proportionate to the skill's functionality.
- Persistence & Privilege
- okThe skill is not marked always:true, does not modify other skills or system settings, and has no special persistence or elevated privileges beyond normal autonomous invocation.