ClawMart Creator
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for managing ClawMart listings, but it uses a creator API key and can make marketplace listing changes that users should review carefully.
Before installing, be comfortable giving the agent access to a ClawMart creator API key. Confirm listing names, prices, package contents, updates, deletions, and publishing actions before allowing API calls.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create, update, delete, or upload versions of ClawMart listings if the user asks it to manage those listings.
The skill documents mutating ClawMart API actions, including create, update, delete, and package upload. This is aligned with its marketplace-management purpose, but these actions can materially change the user's creator account.
POST /listings — create draft listing ... PATCH /listings/{id} ... DELETE /listings/{id} ... POST /listings/{id}/versions — upload package versionReview and approve each mutating action, especially deletes, updates, package uploads, prices, and publish actions.
Anyone or any agent process with access to the API key may be able to act on the user's ClawMart creator account within that key's permissions.
The skill requires a bearer API key for the user's ClawMart creator account. This is expected for the integration, but it grants delegated account authority and is not reflected in the registry's required credential metadata.
`CLAWMART_API_KEY` env var set ... Auth: `Authorization: Bearer ${CLAWMART_API_KEY}`Use a dedicated, least-privilege ClawMart API key if available, keep it out of chat output, and rotate it if exposed.