Skillv1.1.0

ClawScan security

Funding Program Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 4:38 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (managing Karma funding programs) but the SKILL.md expects credentials, environment variables, and command-line tools that the skill metadata does not declare — and it instructs saving API keys to persistent files, which is a notable privacy/operational risk.
Guidance: Things to consider before installing/using this skill: - The SKILL.md will ask for or generate a KARMA_API_KEY and instruct saving it to either a plugin data folder or your shell startup file (~/.zshrc or ~/.bashrc). Persisting keys to disk increases risk if the key has broad permissions. - The skill metadata does not declare the required env vars (KARMA_API_KEY, optional KARMA_API_URL, CLAUDE_PLUGIN_DATA) nor the CLI tools the instructions use (curl, uuidgen, grep, sed). This mismatch prevents automated checks and is a red flag: ask the publisher to update metadata to list required env vars and binaries. - The Quick Start flow can auto-generate an API key via POST /v2/agent/register. If you use this, treat the resulting key like a high-privilege secret. Prefer creating a scoped/test key with the minimum permissions needed (or use a sandbox/test Karma account) rather than your main account or a key that controls funds. - Verify the API host (gapapi.karmahq.xyz) and confirm this skill is authored by an official Karma publisher (there's no homepage specified and the registry owner is an ID). If you can't confirm provenance, avoid providing production credentials. - If you proceed: create a limited-scope or time-limited API key, do not store production keys in shared machines or persistent shell rc files, and restrict file permissions on any credentials saved under CLAUDE_PLUGIN_DATA. If you want, I can: (1) produce a short list of questions to ask the skill author to clarify metadata and key scopes; (2) suggest a safe test workflow (create a test key, run read-only calls first); or (3) draft a safer credential storage approach for your environment.

Review Dimensions

Purpose & Capability: okThe skill's name/description and all runtime instructions target the Karma funding API (gapapi.karmahq.xyz) and describe program, reviewer, application, milestone, payout, and agreement management. Requiring a Karma API key and calling those endpoints is coherent with the stated purpose.
Instruction Scope: concernThe SKILL.md instructs the agent to run many curl commands, create API keys, verify email, create programs, manage payouts, and persist API keys. It accesses environment variables and filesystem paths (KARMA_API_KEY, KARMA_API_URL, CLAUDE_PLUGIN_DATA, $HOME/.zshrc/.bashrc) and uses CLI tools (curl, uuidgen, grep, sed, mkdir). However the skill metadata does not declare any required env vars or binaries. Instructions to write API keys into shell rc files or plugin data expand the skill's scope and introduce persistence/exfiltration risk; these file writes are not justified in the metadata.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so it does not install third-party packages or download remote archives. That minimizes install-time risk.
Credentials: concernAlthough the skill logically needs a Karma API key to operate, requires.env and primary credential are declared as none. The SKILL.md repeatedly references KARMA_API_KEY and optionally CLAUDE_PLUGIN_DATA and KARMA_API_URL. This mismatch (undeclared but required credentials and env vars) is a configuration inconsistency that prevents automated vetting and is a security/privacy concern because the instructions tell the agent to persist the API key to disk.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. However it instructs persisting the obtained API key to either a plugin data directory (CLAUDE_PLUGIN_DATA) or to the user's shell rc (~/.zshrc or ~/.bashrc), granting long-term access to the Karma account from the environment. Persisting credentials is functional for the skill but increases the blast radius if the key is overprivileged or exposed.