ClawHub

Builder Data

PassAudited by ClawScan on May 1, 2026.

Overview

This is a coherent read-only API helper for Talent Protocol and GitHub data, with the main caution that it uses credentials to look up and combine identity, wallet, reputation, and public GitHub information.

Before installing, be aware that this skill is meant to look up and correlate builder identity, wallet, reputation, credential, and public GitHub data through Talent Protocol and GitHub APIs. The behavior is disclosed and read-only, but you should provide only appropriate API tokens and avoid asking it to look up identifiers you do not want sent to those services.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

Using the skill may consume API quota and allow the agent to retrieve linked profile, identity, wallet, reputation, and public GitHub data through your credentials.

Why it was flagged

The skill requires a Talent Protocol API key and optionally uses a GitHub token; this is purpose-aligned and disclosed, but it is credentialed access to identity/profile data and is under-declared by the registry metadata.

Skill content
`TALENT_API_KEY` | **Yes** | API key for Talent Protocol (read access to profile/identity data) ... `GITHUB_TOKEN` | No | Personal access token for higher GitHub rate limits
Recommendation

Use least-privileged credentials, prefer a no-scope GitHub token if needed, do not share tokens in prompts, and update/verify metadata so required credentials are clear before installation.

Info
#ASI02: Tool Misuse and Exploitation
What this means

Identity or location queries you ask the agent to perform may be transmitted to Talent Protocol or GitHub as part of normal operation.

Why it was flagged

The skill directs the agent to make raw external API requests to Talent Protocol and GitHub. These calls are read-only and aligned with the stated purpose, but queried handles, wallet addresses, locations, or usernames may be sent to third-party services.

Skill content
curl -H "X-API-KEY: $TALENT_API_KEY" "https://api.talentprotocol.com/..." ... GET https://api.github.com/users/{username}
Recommendation

Use the skill only for intended lookups and avoid querying sensitive or private identifiers unless you are comfortable sending them to the referenced APIs.