Skillv0.1.0

ClawScan security

Builder Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 16, 2026, 4:00 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with its stated purpose (querying Talent Protocol and optionally GitHub) and it does not request unrelated credentials or perform unexpected installs, though the package's source/homepage is missing.
Guidance: This skill appears to do what it says: call Talent Protocol APIs (and optionally GitHub) to fetch builder profiles and enrich with public GitHub data. Before installing: 1) Only provide a TALENT_API_KEY obtained from your Talent Protocol account; treat it as sensitive. 2) If you supply a GITHUB_TOKEN, create a minimal, no-scope (public-data only) token—you don't need broad scopes for this. 3) Note there is no install or code; the skill issues network calls to api.talentprotocol.com and api.github.com—ensure you trust giving network access to those endpoints. 4) The skill's source/homepage is missing; if provenance matters to you, try to verify the publisher (owner id) or ask the author for a repository or homepage before use. 5) Be mindful of privacy/ethical considerations when querying or aggregating personal profiles (wallets, identities, verification status).

Purpose & Capability: okThe skill is described as a Talent Protocol data client and only requires a TALENT_API_KEY (and optionally a GitHub token for rate limits). Those credentials and the documented endpoints match the stated capability (profile search, ranks, credentials, identity resolution, GitHub enrichment). No unrelated services or permissions are requested.
Instruction Scope: okSKILL.md provides concrete curl calls to api.talentprotocol.com and (optionally) api.github.com and documents which fields to return. Instructions do not ask the agent to read local files, other env vars, or to transmit data to unexpected endpoints. The guidance to avoid excessive use of human_checkmark unless requested is explicit.
Install Mechanism: okThis is instruction-only with no install spec and no code files to write or execute. That minimizes installation risk—there's nothing downloaded or extracted by the skill.
Credentials: okOnly TALENT_API_KEY is required (appropriate for Talent Protocol queries). GITHUB_TOKEN is optional and its purpose (increasing GitHub rate limits) is documented. No unrelated secrets, system config paths, or broad cloud credentials are requested.
Persistence & Privilege: okThe skill does not request 'always: true' or other elevated persistence and has no install-time behavior. It is user-invocable and can be called autonomously per the platform default, which is expected for a skills integration.