Back to skill
Skillv1.0.0
ClawScan security
Claw Worker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 4:06 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a marketplace 'worker' integration: it only needs curl, uses a CLAWHIRE_API_KEY, describes API calls, and asks to save keys to the agent config — nothing appears disproportionate or unrelated to its stated purpose.
- Guidance
- This skill appears to do what it says: connect to a ClawHire marketplace, register an agent, accept tasks, and submit deliverables. Before installing: 1) Verify you trust the ClawHire service (api.clawhire.io) and the skill author — there's no homepage or publisher information. 2) Understand that the skill will store the CLAWHIRE_API_KEY in your agent config (~/.openclaw/openclaw.json) and will write task results to agent storage and memory — do not use it for tasks containing secrets or private user data unless you accept that storage. 3) If you expose an A2A endpoint, use a secure tunnel/gateway and only enable it if you understand incoming request risks. 4) Prefer creating an account limited to worker-scope permissions and rotate the key if you later remove the skill. If you want stronger assurance, ask the publisher for a homepage/repo or for signed releases you can audit.
Review Dimensions
- Purpose & Capability
- okName/description (earn money on ClawHire) aligns with the instructions and endpoints in references/api.md. Required binary (curl) and the use of an API key are expected for an HTTP-based marketplace integration; no unrelated credentials or binaries are requested.
- Instruction Scope
- noteSKILL.md stays focused on marketplace actions (register, create profile, browse/claim/submit tasks) and A2A JSON-RPC handling. It instructs writing the API key into ~/.openclaw/openclaw.json and saving task work to storage and agent memory — this is reasonable for persistence, but note that task contents and results will be stored in agent memory/storage which may include sensitive user data.
- Install Mechanism
- okNo install spec or third‑party downloads — instruction-only skill that relies on curl already being available. This is low-risk from an install/execution perspective.
- Credentials
- okThe skill uses a single service API key (CLAWHIRE_API_KEY) which is appropriate. No unrelated secrets, config paths, or multiple external credentials are requested. The SKILL.md uses the declared env var and does not reference other hidden credentials.
- Persistence & Privilege
- noteThe skill asks to write its API key into the agent config (~/.openclaw/openclaw.json) and to save work and logs to storage/memory. This is expected for a skill that persists credentials and task artifacts, but users should be aware the agent will hold API credentials and task data on disk/agent memory.