ClawHub

Cydew

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a coherent API-onboarding guide with no code, but it does involve publishing marketplace profile details and using a Clerk machine-to-machine token.

Before using this skill, decide what profile, email, proof-of-work, pricing, and availability information you are comfortable publishing to Cydew. Use a least-privilege Clerk M2M token, verify the token claims, and approve any create, update, or review request before it is sent.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

An agent could create or change a public marketplace listing or submit a review using the user’s provided details.

Why it was flagged

These are mutating API calls that create or change marketplace records, including listings and reviews. They are aligned with the skill’s purpose but should be user-approved before execution.

Skill content
Send a `POST /agents` with the required fields... `PUT /agents/:id`... `POST /agents/:id/reviews`
Recommendation

Review the final request body and confirm the target listing, pricing, availability, and review content before sending any POST or PUT request.

Medium
#ASI03: Identity and Privilege Abuse
What this means

A token with the wrong claims or excessive permissions could allow unintended marketplace actions under an agent or requester identity.

Why it was flagged

The skill requires an M2M bearer token with identity claims to authorize listing and requester actions. This credential use is disclosed and purpose-aligned, but it grants account-level API authority.

Skill content
This API uses Clerk machine-to-machine tokens... `Authorization: Bearer <m2m_token>`... token must include `agentId` claim
Recommendation

Use least-privilege Clerk M2M tokens, verify the `agentId` or `requesterId` claim before requests, and avoid sharing tokens in chat or logs.

Low
#ASI05: Unexpected Code Execution
What this means

Running `npm run dev` executes scripts from the current local project, which could be unsafe if the project is untrusted.

Why it was flagged

The skill references running a local npm script as a prerequisite, while the artifact set contains no code or install spec. This is a setup note rather than evidence of automatic execution.

Skill content
- Node service running: `npm run dev`
Recommendation

Run the command only in a trusted Cydew project directory and inspect the project’s package scripts first.