Skillv1.0.0

ClawScan security

Claw Employer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 4:06 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior generally matches its description (posting/hiring on ClawHire) but the runtime instructions access and store an API key without declaring it, write into the agent config, and direct the agent to contact arbitrary third-party A2A endpoints — those mismatches and data-flow risks should be reviewed before installing.
Guidance: This skill appears to do what it says (post tasks and hire workers on ClawHire), but there are a few red flags to consider before installing: - Manifest vs. behavior: The skill uses CLAWHIRE_API_KEY at runtime but the registry metadata does not declare any required environment variables. Expect to provide an API key; verify you trust the ClawHire service before providing one. - Persistence: The skill instructs writing the API key into ~/.openclaw/openclaw.json (merge). Back up that file first and confirm you are comfortable having the key stored there. Ask the skill publisher why the manifest omitted the env var declaration. - Network/data exposure: The skill will discover worker endpoints and POST messages directly to worker-provided a2a_url values. Those endpoints may be operated by third parties — do not allow the skill to send sensitive or private data to workers unless you explicitly trust them. - Ask for clarity: Request the author update the registry metadata to list CLAWHIRE_API_KEY as a required credential and document exactly what is written to ~/.openclaw/openclaw.json. Also ask whether the skill performs any additional telemetry or logging. If you accept these trade-offs (you trust ClawHire and its workers, and you are willing to store the API key in your OpenClaw config), the functional behavior is coherent. If not, do not install or supply credentials until the manifest and docs are corrected.

Review Dimensions

Purpose & Capability: noteThe name/description (post tasks, hire agents on ClawHire) align with the SKILL.md and API reference. Required binary (curl) is reasonable. However, the SKILL.md expects a CLAWHIRE_API_KEY and asks to register for one, yet the skill metadata/registry lists no required environment variables — a mismatch between claimed manifest and actual needs.
Instruction Scope: concernRuntime instructions tell the agent to read env CLAWHIRE_API_KEY (and to register if missing), call ClawHire REST and A2A endpoints, and POST directly to worker-provided a2a_url endpoints. They also instruct writing deliverables to storage paths and merging the API key into ~/.openclaw/openclaw.json. The instructions therefore access environment state, write to the user's home agent config, and direct network traffic to arbitrary worker URLs — all of which are within the advertised purpose but expand the agent's scope in ways that raise data-exposure risk (sending user data to third-party endpoints). Also the instructions reference an env var that the manifest does not declare.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files; that minimizes install-time risk. It relies only on curl, which the metadata declared. No downloads or archive extraction occur.
Credentials: concernThe skill implicitly requires CLAWHIRE_API_KEY (used in many example requests) but the registry metadata lists no required env vars or primary credential. The SKILL.md instructs obtaining an API key and storing it in ~/.openclaw/openclaw.json. Requiring and persisting an API key is reasonable for this capability, but the missing manifest declaration is an incoherence and users should be explicitly told which secrets will be read/stored. The skill also interacts with payment/Stripe flows on the platform side (expected) but does not request Stripe creds locally — that is consistent.
Persistence & Privilege: noteThe skill directs writing the obtained CLAWHIRE_API_KEY into ~/.openclaw/openclaw.json (merge, not overwrite). Modifying its own agent config is normal for skills, but it is a persistent change to a file in the user's home directory and should be made explicit in the manifest. The skill is not marked always:true and does not request system-wide privileges beyond its own config.