Back to skill
Skillv1.0.0
ClawScan security
Obul Proxy (x402) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 2:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only proxy helper that coherently requires an Obul API key and tells the agent how to forward requests through proxy.obul.ai; nothing in the instructions asks for unrelated access or to install arbitrary code.
- Guidance
- This skill appears to do what it says: forward requests through Obul using an OBUL_API_KEY. Before installing or supplying a key, confirm the key requirement in the registry UI (the SKILL.md requests OBUL_API_KEY but the registry metadata here lists none). Only provide a key scoped and rotated for this purpose, avoid embedding it in client-side code or logs, and review Obul's pricing/billing and privacy terms (requests proxied through Obul may incur charges and send request payloads to their service). If you want additional assurance, contact the skill owner or verify the skill package in a trusted registry entry that includes the declared env var and a trustworthy homepage/repository.
Review Dimensions
- Purpose & Capability
- okThe name/description (Obul proxy for x402 endpoints) aligns with the runtime instructions: they show how to call https://proxy.obul.ai and include an OBUL_API_KEY. The only capability requested (an Obul API key) is appropriate for a proxy integration.
- Instruction Scope
- okSKILL.md only instructs building HTTP requests to the Obul proxy, checking /healthz, and including the OBUL_API_KEY header. It does not ask the agent to read unrelated files, scan local state, or send data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only and therefore does not write or execute code on disk. That is the lowest-risk install mechanism.
- Credentials
- noteThe SKILL.md declares a single required environment variable (OBUL_API_KEY) which is proportionate for an API proxy. However, the registry metadata supplied with the skill (above) indicated no required env vars/primary credential; this mismatch between the skill document and registry metadata should be resolved before trusting automated installs or prompts to provide credentials.
- Persistence & Privilege
- okalways is false and there is no install step that modifies agent configuration or other skills. The skill does not request persistent elevated privileges.