builder-data
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is a disclosed, read-only Talent Protocol and GitHub lookup helper, but users should notice that it needs API credentials and queries identity/profile data.
This appears safe for a read-only reputation/profile lookup skill. Before installing, be comfortable that it will query Talent Protocol and GitHub, may return identity, wallet, location, social, earnings, and credential information, and needs a Talent API key even though the registry metadata does not declare one.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may send lookup queries to Talent Protocol and GitHub to return profile, location, wallet, social, and repository information.
The skill instructs the agent to make direct external API calls, including user-directed search filters. This is central to the stated purpose and disclosed, but users should know their search terms and API key are used with the provider.
curl -X POST -H "X-API-KEY: $TALENT_API_KEY" -H "Content-Type: application/json" "https://api.talentprotocol.com/search/advanced/profiles" -d '{ "customQuery": { "regexp": { "standardized_location": { "value": ".*argentina.*"Use the skill for intended lookups only, review generated queries when they include sensitive search terms, and avoid broad searches unless needed.
Providing these credentials lets the agent query Talent Protocol profile/identity data and optionally GitHub at higher rate limits.
The skill requires a Talent Protocol API key and optionally uses a GitHub token. This is expected for the service integration, but the registry metadata says no required env vars or primary credential, so users may not get install-time prompting.
`TALENT_API_KEY` | **Yes** | API key for Talent Protocol (read access to profile/identity data) ... `GITHUB_TOKEN` | No | Personal access token for higher GitHub rate limits
Use the least-privileged credentials available, follow the skill’s suggestion of no GitHub scopes for public data, and keep tokens in environment variables rather than pasting secrets into chat.