ClawHub
Back to skill
v1.0.0

Geepers Corpus

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:49 AM.

Analysis

This instruction-only skill documents read-only corpus API queries, but users should verify the third-party API provider and treat the API key as sensitive.

GuidanceBefore installing, verify that https://api.dr.eamer.dev is the corpus provider you intend to use, use a dedicated API key, and avoid sending sensitive or private text unless you trust that service.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
metadata
Source: unknown
Homepage: none

The skill depends on an external corpus API, but the registry metadata provides no source or homepage for users to validate the service provenance.

User impactUsers have less information to confirm who operates the API endpoint before sending queries or using an API key.
RecommendationVerify the API provider and documentation out of band before installing or configuring credentials.
Human-Agent Trust Exploitation
SeverityInfoConfidenceMediumStatusNote
SKILL.md
name: geepers-corpus ... # Dreamer Corpus ... Access the COCA corpus API at `https://api.dr.eamer.dev`.

The registry/skill naming, document title, and API host use different branding, which could confuse users about whether this is the expected corpus provider.

User impactA user may assume the API is an official or familiar COCA service without confirming the actual provider.
RecommendationConfirm the endpoint, branding, and terms of service before trusting results or supplying credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
export DREAMER_API_KEY=your_key_here

The skill instructs users to provide an API key. That is expected for an authenticated API service, but it is still a credential and the registry metadata does not declare a primary credential.

User impactThe agent may use this key when making corpus API requests, so the key should be limited to this service and not reused elsewhere.
RecommendationUse a dedicated, least-privilege API key if available, and remove or rotate it when no longer needed.