Share use case
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Information from recent conversation could appear in the public use-case draft if the user approves it without checking.
The skill intentionally reuses recent chat context to create content that may be submitted publicly, so private or sensitive details could be included if the draft is not reviewed carefully.
Look back at the conversation history (last 50-100 messages or past few hours) to understand what the user built.
Review and edit the preview carefully before submitting, especially for secrets, client names, internal project details, or private business information.
If the user chooses credit, the skill uses an OAuth connection to associate the submission with a Twitter/X or GitHub identity.
The helper retrieves an OAuth-related credential/profile object from a Convex service and prints it for the assistant to use for attribution. This is consistent with the stated attribution feature, but it is still identity-related access.
const result = await queryConvex('oauth:getToken', { token: args.token }); ... console.log(JSON.stringify(result.value.credential, null, 2));Check the OAuth consent screen and scopes before approving; choose anonymous submission if you do not want the use case linked to your account.
After choosing attribution, the assistant may run helper scripts locally to detect OAuth completion and continue submission automatically.
The skill tells the assistant to run local commands and poll for OAuth completion. The loop is bounded and tied to the user-selected attribution flow, but it is still automated tool use that users should be aware of.
Immediately after sending OAuth links, start polling and watch for completion: ... RESULT=$(node get-credential.js --token [oauth_token] 2>&1)
Only proceed with OAuth if you intend the approved draft to be submitted after connection; keep polling bounded and avoid modifying the helper commands unless you understand them.
The skill may require Node even though registry requirements do not list required binaries, and version mismatches may make it harder to confirm exactly what release is installed.
The package declares Node-based scripts and version 1.0.0, while the registry metadata says version 1.0.1 and no required binaries, and SKILL.md declares version 2.0.1. This packaging inconsistency can make provenance and runtime expectations less clear.
"version": "1.0.0", ... "engines": { "node": ">=16.0.0" }, "scripts": { "submit": "node submit.js", "normalize": "node normalize-tools.js" }Confirm the installed files match the reviewed package and that Node is expected in your OpenClaw environment.