Back to skill
Skillv1.0.0
ClawScan security
Lap Agentos Api V3 Maintenance Call Group · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 9:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper for a single agentOS maintenance API endpoint and the requested API key matches that purpose; there are no surprising installs or extra credentials.
- Guidance
- This is an instruction-only skill that only needs one API key for the agentOS maintenance endpoint and otherwise does not install or access other secrets. Before installing: confirm the API host (live-api.letmc.com) and the env var name match your provider; treat the API key like any secret (use least privilege and rotate if possible); be aware the README shows 'npx' commands which, if you run them, will fetch packages from npm; and if you need stronger assurance, request the full API spec (references/api-spec.lap) or a signed source/homepage from the publisher.
Review Dimensions
- Purpose & Capability
- okName, description, base URL, and the single required env var (AGENTOS_API_V3_MAINTENANCE_CALL_GROUP_API_KEY) are consistent with a maintenance-call-group API client for agentOS; no unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md only documents authentication, the POST endpoint to create a maintenance job, and CLI examples to fetch/search the spec. It does not instruct reading unrelated files, accessing other environment variables, or exfiltrating data. Note: CLI examples use 'npx' to fetch the spec, which will perform a network fetch if run.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk by the skill itself. The only potential runtime network activity would come from optional 'npx' CLI commands shown in examples, but those are not enforced by the skill.
- Credentials
- okOnly one required environment variable is declared and it matches the API key needed to authenticate to the described API. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills, and has no install-time persistence. Autonomous invocation is allowed (platform default) but is not combined with other elevated privileges.