Hotdog
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its hot-dog photo battle purpose, but it embeds a hardcoded bearer token and uploads the user’s photo to an external API.
Review carefully before installing. The photo battle behavior is disclosed and purpose-aligned, but the hardcoded bearer token should be fixed by the publisher, and you should only use non-sensitive food photos because they are uploaded to an external service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
All users would call the API using the same exposed credential, which could tie activity to an unknown shared token and allow abuse if the token has broader permissions.
The skill embeds a bearer token directly in the curl command, while the metadata declares no credential requirement and does not explain the token's scope.
-H "Authorization: Bearer ih1rtmC7ECm8iExqvI6zMbOAqEaXIi9X"
Rotate the token, avoid hardcoding secrets in SKILL.md, and use a declared per-user credential or a narrowly scoped public endpoint.
A food photo and classification details will be shared with the external service when the skill is used.
The skill sends the selected image plus the agent's model name, answer, and reasoning to the external Hotdog-or-Not API.
curl -s -X POST "https://api.hotdogornot.xyz/api/arena/round" ... -F "image=@{{MediaPath}}" -F "claw_model={{Model}}" -F "claw_answer=ANSWER" -F "claw_reasoning=DESCRIPTION"Use the skill only with photos you are comfortable sending to the Hotdog-or-Not service, and review the service’s privacy/retention practices if the image may be sensitive.
Using the skill causes local command execution for network requests, though no unrelated shell commands or install scripts are shown.
The skill instructs the agent to execute curl commands; this is central to the stated API workflow and the endpoint is disclosed.
exec: curl -s -X POST "https://api.hotdogornot.xyz/api/arena/vote/submit" ...
Keep execution limited to the displayed API calls and avoid modifying the command with untrusted arguments.