Back to skill
Skillv1.0.2
ClawScan security
Belong Events - Discover and Organize · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 10:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credentials are consistent with a Belong events integration and do not request unrelated secrets or unusual system access.
- Guidance
- This skill appears coherent with its stated purpose, but you should: (1) confirm you trust Belong (requests go to join.belong.net by default) before providing an email/OTP or allowing the skill to store an apiKey; (2) prefer the OTP flow as documented instead of pasting API keys; (3) be aware that authenticated calls will send any provided params (event details, wallet addresses, etc.) to the Belong endpoint; and (4) note the skill's source/homepage are not provided—if you need stronger assurance, ask the publisher for a canonical source or inspect a signed release before enabling it in production.
Review Dimensions
- Purpose & Capability
- okName/description (discover/manage events, hubs, tickets, check-ins, wallets) align with the provided tooling and methods. Required binary (curl) and primary credential BELONG_EVENTS_API_KEY are appropriate for calling a remote Belong API gateway.
- Instruction Scope
- okSKILL.md confines runtime behavior to calling the included invoke.sh wrapper and performing an OTP account-link flow. It does not instruct reading arbitrary local files or exfiltrating data to unexpected endpoints; all network calls target the Belong gateway (or an override endpoint). It does instruct storing the returned apiKey in an env var or openclaw.json for subsequent authenticated calls, which is expected for account linking.
- Install Mechanism
- okNo install spec (instruction-only) and a small, non-obfuscated invoke.sh script that posts JSON-RPC to a Belong domain. No downloads or archive extraction are used.
- Credentials
- okOnly the primary credential BELONG_EVENTS_API_KEY (and an optional BELONG_EVENTS_ENDPOINT) are used. There are no unrelated credentials or high-privilege env vars requested. The skill asks for the user's email and OTP during account linking — expected for the described flow — and explicitly instructs never to ask users for manual API keys.
- Persistence & Privilege
- okSkill does not request always:true and does not require elevated system privileges. It suggests storing the apiKey in the agent config or env var for convenience, which is normal for authenticated integrations; it does not modify other skills or system-wide settings.