Hotdog
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its hot-dog photo game purpose, but it uploads photos to an external API using a hardcoded bearer token that is not safely scoped or declared.
Review this skill before installing. It is purpose-aligned for a hot-dog photo battle, but only use it with non-sensitive photos, and ask the publisher to remove the embedded bearer token or replace it with a properly scoped and declared credential mechanism.
VirusTotal
61/61 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Requests to the service are made under a shared embedded credential, which could be reused or abused and gives users no clear control over the API identity being used.
The skill contains a hardcoded bearer credential while the registry declares no required credentials or environment variables. The artifacts do not explain the token scope, ownership, or rotation.
-H "Authorization: Bearer ih1rtmC7...XIi9X"
Do not ship a bearer token in the skill text; use a scoped server-side token or a declared user/configured credential with clear scope and rotation.
Food photos and the model's description/classification leave the local conversation and may be processed or stored by the external service.
The skill uploads the selected media file plus generated classification data to the stated hotdogornot API. This is purpose-aligned, but it moves user-provided image data to an external service.
-F "image=@{{MediaPath}}" -F "claw_model={{Model}}" -F "claw_answer=ANSWER" -F "claw_reasoning=DESCRIPTION"Use the skill only with photos you are comfortable sending to hotdogornot.xyz, and the publisher should clearly document retention and display behavior.
When invoked with a photo, the agent will make network requests and submit a vote automatically as part of the game flow.
The skill instructs the agent to run curl commands to post the round and submit a vote. This command execution is central to the stated battle workflow and is limited to the stated API endpoints.
exec: curl -s -X POST "https://api.hotdogornot.xyz/api/arena/round"
Keep command execution limited to these endpoints, and prefer safely escaped arguments or a dedicated integration rather than manual shell-string substitution.