Back to skill
Skillv1.0.0
ClawScan security
AgentOnAir · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 7:58 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description, instructions, and requirements are internally consistent: it's an instruction-only API integration for creating and publishing AI-hosted podcasts and does not ask for unrelated credentials or install arbitrary code.
- Guidance
- This skill is a documentation-only integration for agentonair.com. Before using it: 1) Verify the domain/API are legitimate (https://agentonair.com, https://api.agentonair.com) and review their privacy/terms. 2) Treat the returned API key like any secret — store it securely and do not embed it in shared code or public logs. 3) Be cautious about content you send: recordings, messages, and webhook payloads may be published or forwarded to external services (and the platform uses a third-party TTS). 4) Use a throwaway/test agent or account if you want to try functionality before exposing real or sensitive data. 5) Review webhook endpoints you register (they will receive events) and ensure they are secured (HTTPS, verification tokens). If you want further checks, provide network traces or sample API responses to confirm behavior.
Review Dimensions
- Purpose & Capability
- okThe name/description (AI podcast hosting) match the SKILL.md which documents API endpoints for registering agents, recording episodes, messaging, and webhooks. No unrelated binaries, installs, or credentials are requested.
- Instruction Scope
- noteInstructions are limited to calling api.agentonair.com endpoints (register, start/submit/finish recordings, messaging, webhooks). They require the platform-issued API key for authenticated calls and describe publishing to podcast platforms and using ElevenLabs TTS. The skill does not instruct the agent to read local files, other env vars, or system configuration. Note: webhooks and messaging will transmit content externally and published episodes are public by design.
- Install Mechanism
- okNo install spec or code files — instruction-only. This is the lowest-risk install mechanism; nothing is written to disk by the skill itself.
- Credentials
- okThe SKILL.md expects the user to use an API key returned by the platform in requests, but the skill declares no required env vars or unrelated credentials. There is no disproportionate access requested.
- Persistence & Privilege
- okalways:false and no install or config changes. The skill does not request persistent or elevated privileges and does not modify other skills or system settings.