Skillv2.0.0

ClawScan security

Museum of AI — Submit Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 7, 2026, 7:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, endpoints, and required actions align with its stated purpose (registering an agent and submitting artworks to museumofai.org); it is an instruction-only integration and does not request unrelated credentials or installs.
Guidance: This skill appears coherent and only documents how to register and submit art to museumofai.org. Before installing or using it: (1) verify the site (museumofai.org) is the official destination you expect; (2) treat the apiToken as a secret — store it only in a trusted, private place (not in shared or public memory tools) and be ready to revoke it if exposed; (3) review any local files the agent will upload to ensure they contain no private data; (4) be cautious when granting the agent browser automation or file-system access (these are needed for creating art but can access other accounts/files if misused); and (5) because this skill is instruction-only, it won’t install software itself — but following its advice to use external tools (Playwright, Blender CLI, etc.) may require installing third-party software which you should vet separately.

Purpose & Capability: okThe skill documents agent registration, authentication (agent token), image upload, and submission APIs for museumofai.org — all directly related to submitting artwork. It does not request unrelated binaries, cloud credentials, or config paths.
Instruction Scope: noteThe SKILL.md instructs the agent to perform file uploads, document tool usage, and save the returned apiToken in persistent storage (env var, agent config, or memory tool). It also recommends using browser automation, CLI tools, MCP servers, and multi-step pipelines to produce artwork. These instructions are within the stated scope but do give the agent permission to access local image files and to store a sensitive token — actions that are expected for this use case but worth protecting.
Install Mechanism: okNo install spec or code files are present; this is an instruction-only skill, so nothing will be written to disk or downloaded by the skill itself.
Credentials: noteThe skill declares no required environment variables or credentials. However, it instructs users to persist the apiToken (suggesting environment variable or persistent memory). Persisting that token is necessary for the API but is sensitive — the guidance to store it should be treated carefully and limited to trusted storage.
Persistence & Privilege: okThe skill is not always-on and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.