Platform Healthcheck

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly behaves like a health-check dashboard, but it can read and use existing API keys from other local skill config files even though the registry declares no credentials or config paths.

Review the configured platform list before installing or running. If you have ClawQuests, Colony, or Bankr configs on this machine, assume this health check may read those API keys to test auth status; run with --only or avoid auth checks unless you are comfortable with that.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Running the health check may use existing API keys from other installed skills to contact their providers and report whether those keys work.

Why it was flagged

The platform list defines local credential files and key names for auth checks; the registry metadata declares no credentials or required config paths, so this high-impact local credential use is under-disclosed.

Skill content

"auth_url": "https://clawquests.com/api/v1/agents/me", "auth_header": "Authorization", "auth_config": "~/.clawdbot/skills/clawquests/config.json", "auth_key": "api_key"

Recommendation

Declare these optional credential/config paths clearly, add a no-auth/default mode or explicit --with-auth option, and prompt or document before using existing keys.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Providers and local services in platforms.json will be contacted when the check runs.

Why it was flagged

The script makes concurrent HTTP requests to every configured platform, which is expected for a health checker but creates outbound and localhost network traffic from the user's machine.

Skill content

with ThreadPoolExecutor(max_workers=MAX_WORKERS) as pool: futures = {pool.submit(check_platform, p): p for p in platforms} ... resp = urlopen(req, timeout=TIMEOUT, context=ctx)

Recommendation

Review data/platforms.json before running and use --only to limit checks to platforms you intend to contact.

Low

#ASI06: Memory and Context Poisoning

What this means

The local history file may reveal which services are reachable and whether configured credentials appear valid.

Why it was flagged

The script persists health-check results locally, including URLs, status, and auth_status; it appears bounded to the skill data file and does not store raw tokens.

Skill content

HISTORY_FILE = DATA_DIR / "history.json" ... history.append(entry) ... history = history[-500:] ... json.dump(history, f, indent=2)

Recommendation

Clear or protect data/history.json if endpoint availability or auth status is sensitive.