Back to skill
Skillv1.0.0
ClawScan security
Rising Transfers — Transfer Intel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 8:58 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests, instructions, and required credential (RT_API_KEY) are consistent with its stated purpose of querying a Rising Transfers API for transfer rumours and credibility scoring.
- Guidance
- This skill appears coherent and limited to calling api.risingtransfers.com with a single API key. Before installing: (1) confirm you trust Rising Transfers and their privacy policy (the SKILL.md points to their domain), (2) treat RT_API_KEY like any API secret — store it safely and revoke it if you suspect misuse, (3) monitor credit usage (some calls consume credits), and (4) if you don't want the agent invoking the skill autonomously, disable automatic skill discovery in your agent config. Because this is instruction-only, there is no bundled code to inspect — if you need stronger assurance, verify the API domain, documentation, and the owner’s GitHub repository directly.
Review Dimensions
- Purpose & Capability
- okThe skill is described as a transfer-intel integration and only requests a single API key (RT_API_KEY) and network access. That key is appropriate and expected for calling the Rising Transfers API; no unrelated credentials, binaries, or system paths are requested.
- Instruction Scope
- okSKILL.md contains explicit runtime instructions that limit activity to three API endpoints on api.risingtransfers.com and specifies exactly what data is sent (player/club names). The instructions do not ask the agent to read local files, other env vars, or transmit conversation history. The 'do not fabricate' and error-handling guidance reduce scope creep.
- Install Mechanism
- okThere is no install specification and no code files — this is an instruction-only skill that relies on existing runtime/network capability. That minimizes on-disk changes and is proportionate for the described functionality.
- Credentials
- okOnly RT_API_KEY is required (primary credential). Hot Topics mode is documented to work anonymously. No other SECRET/TOKEN/PASSWORD env vars are requested, which is proportional to the skill's purpose.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request system-wide persistence or modification of other skills. It may be invoked autonomously by the agent (platform default), which is expected for a query-style integration.