Skillv1.0.5

ClawScan security

Agent Watcher Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 4:23 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions reasonably match its stated purpose, but the registry metadata omits the required API credentials and the runtime behavior can post collected data to an arbitrary ON_API endpoint — these inconsistencies and the potential for unintended data export warrant caution.
Guidance: Before installing: (1) Be aware SKILL.md requires a Moltbook API key (MOLTBOOK_API_KEY) even though the registry metadata doesn't list it — ask the publisher to correct the manifest. (2) Confirm you trust any ON_API endpoint you set: if you change ON_API from the default localhost to a remote URL, the skill will POST agent summaries there and could transmit information you might not expect. (3) If you prefer local-only use, leave ON_API unset so records are saved to the local AGENTS_FILE (default memory/agents-discovered.md) and consider setting file permissions accordingly. (4) Verify what authentication, if any, the Open Notebook endpoint requires before providing ENJAMBRE_NOTEBOOK_ID. (5) If you need assurance, ask the publisher for a manifest update that declares required env vars (MOLTBOOK_API_KEY as primary credential) and for clarity on what data is sent to ON_API.

Review Dimensions

Purpose & Capability: noteThe skill's name and description (monitor Moltbook, save interesting agents to Open Notebook or file) match the SKILL.md instructions. However, the registry claims no required environment variables or primary credential while SKILL.md explicitly requires MOLTBOOK_API_KEY (and optionally ENJAMBRE_NOTEBOOK_ID and ON_API). This mismatch is unexpected and should be corrected by the publisher.
Instruction Scope: noteRuntime instructions stick to fetching Moltbook feeds, searching posts, and saving results to either a local file or an Open Notebook API. That is within the declared purpose. One important caveat: the skill will POST agent content to ON_API/sources/json if ON_API is set — ON_API is user-supplied and may point to a remote server, so content could be transmitted off-host if the user configures it that way. SKILL.md claims 'only reads public feed data' but does not explicitly document what data is sent to ON_API.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is written to disk by the skill itself. That keeps install risk low.
Credentials: concernThe SKILL.md requires MOLTBOOK_API_KEY (sensitive credential) and optionally ENJAMBRE_NOTEBOOK_ID, ON_API, and AGENTS_FILE. Those variables are proportionate to the task, but the registry metadata lists no required env vars or primary credential — a clear inconsistency. Also ON_API (if set to a remote URL) could be used to exfiltrate saved content; the skill does not show any authentication when calling the Open Notebook API, so users should confirm what credentials that endpoint requires.
Persistence & Privilege: okThe skill does not request always:true, does not alter other skills' configs, and is user-invocable. It suggests running periodically but that is user-controlled. No elevated platform privileges are requested in the manifest.