IsItWater
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent and benign, but it uses an IsItWater API key and credit-consuming API calls.
This looks safe for its stated purpose. Before installing, make sure you are comfortable giving the agent access to an IsItWater API key, sending queried coordinates to the IsItWater service, and spending credits for each lookup. Ask the agent to confirm before large batches of requests.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured IsItWater account to make lookups and view account details such as balance.
The skill uses the user's IsItWater API key and can access account information, which is sensitive account authority but is declared and directly related to the skill's purpose.
Headers: - `Authorization: Bearer $ISITWATER_API_KEY` **Endpoint:** `GET https://api.isitwater.com/v1/accounts/me`
Use only an API key intended for this service, keep it private, and monitor account balance or usage if the agent performs many lookups.
Large numbers of lookups could spend the user's IsItWater credits.
The external API call is purpose-aligned, but repeated or bulk lookups can consume account credits; the artifact discloses this cost.
**Cost:** 1 credit per lookup. - Each water lookup costs **1 credit**. Use the Account Info endpoint to check the user's balance before making many requests.
Confirm before bulk lookups, and check the account balance first when many requests are expected.