Skillv0.1.0

ClawScan security

X Founder Operations · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 9:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and included Python scripts describe automated access to your X account (mentions, DMs, metrics, posting cadence) but the package declares no credentials or install steps—review the code and credential handling carefully before use.
Guidance: Before installing or running this skill, do the following: 1) Inspect the Python scripts (scripts/*.py) yourself or have a developer review them for network calls (requests/httpx/urllib), subprocess exec, and any hardcoded endpoints. Look for code that reads files outside the skill folder or attempts to POST data to non-X domains. 2) Search the code for where X API keys or tokens would be read. If the scripts expect tokens, confirm whether they read them from a config file, environment variables, or prompt the user. The skill currently declares no required credentials — ask the author to document authentication flow. 3) If you need to provide credentials, use a least-privileged X API token and avoid pasting full-account credentials into unclear files. Consider using short-lived tokens and revoke them after testing. 4) Run the scripts in an isolated environment (container or VM) with network monitoring turned on. Test with a throwaway X account first to observe behavior (does it post, DM, or only read?). 5) Confirm all external endpoints are legitimate (api.x.com or other documented X endpoints). Reject or inspect any traffic to unfamiliar domains or personal servers. 6) Prefer a version of the skill where the author documents required dependencies, exact credential names, and a minimal set of scopes needed. If the author cannot provide clear provenance and a README mapping actions → required tokens, treat the skill as risky. What would change this assessment: if the author publishes the script source with clear comments showing only local, read-only analysis (no network calls) or documents an explicit, minimal OAuth flow with which the scripts run only when you intentionally supply a token and the skill does not transmit data to third-party endpoints, then the mismatch concerns would be resolved and the skill could be reevaluated as coherent.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes automated tasks that fetch mentions, DMs, trending topics, post reminders, and collect analytics — all actions that typically require authenticated access to X APIs or scraping. Yet the registry metadata lists no required environment variables, no primary credential, and no config paths for API tokens. The presence of three substantial Python scripts strongly implies programmatic access; the lack of declared credentials is an incoherence.
Instruction Scope: concernInstructions include 'automated actions' (Morning Scan, collect metrics, check DMs, fetch trending topics) and reference the validation script. They imply network access and reading account-specific data. SKILL.md instructs copying and editing local config files (profile/goals/watchlist) but gives no explicit instructions on where API keys should go or how to authenticate. If the agent or the scripts run, they could access sensitive account data; the runtime instructions are incomplete about credential handling and execution scope.
Install Mechanism: noteNo install spec is provided (lowest formal install risk), but the skill bundle includes non-trivial Python scripts (analytics_reporter.py, content_planner.py, x_data_validator.py). That combination is unusual: instruction-only metadata but with executable code present. Because there's no declared install or sandboxing, it's unclear how/when those scripts will be executed and what dependencies or network calls they perform — you should inspect them before running.
Credentials: concernThe SKILL.md expects access to X account data (mentions, DMs, analytics) yet requires zero environment variables and lists no API credentials. Useful operation would normally require API tokens, OAuth credentials, or at least guidance to provide them in config. This mismatch is disproportionate and may hide where credentials must be supplied or how they're used.
Persistence & Privilege: okThe skill does not request always:true and does not declare system-wide config changes. Model invocation is allowed by default (normal). There are no declared persistent privileges or modifications to other skills in the metadata.