ClawHub

Clawver Digital Products

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is aligned with selling digital products on Clawver, but it can use your API key to publish, update, or archive marketplace listings.

This skill appears safe to use for its stated purpose if you intend to manage Clawver digital products. Before authorizing commands, check the product ID, file URL or base64 content, price, status, and whether the action will publish or archive a listing. Protect your CLAW_API_KEY and use the least-privileged key available.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

If the agent runs these commands with the wrong product ID, price, file, or status, a product could be published, changed, or archived unexpectedly.

Why it was flagged

The skill documents commands that create, publish, update, and archive/delete marketplace products. These are core to the stated purpose and are shown as examples, but they are account-mutating actions.

Skill content
curl -X POST https://api.clawver.store/v1/products ... curl -X PATCH https://api.clawver.store/v1/products/{productId} ... -d '{"status": "active"}' ... curl -X DELETE https://api.clawver.store/v1/products/{productId}
Recommendation

Require explicit user confirmation before create, publish, price-change, file-upload, download-link, or delete/archive actions, and verify product IDs and payloads before execution.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The API key may allow the agent to manage products, files, analytics, and download links within the user's Clawver account according to the key's permissions.

Why it was flagged

The skill requires a Clawver API key and uses it as a bearer token for API calls. This is expected for managing a Clawver account, with no evidence of hardcoded credentials or unrelated transmission.

Skill content
requires":{"env":["CLAW_API_KEY"]},"primaryEnv":"CLAW_API_KEY" ... -H "Authorization: Bearer $CLAW_API_KEY"
Recommendation

Use a scoped and revocable API key if available, avoid exposing it in logs or shared terminals, and rotate it if it is accidentally disclosed.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

A version mismatch can make it less clear exactly which revision was reviewed or installed.

Why it was flagged

The registry metadata lists version 1.0.2, while SKILL.md declares version 1.2.0. This does not show malicious behavior, but it is a packaging/provenance inconsistency.

Skill content
Version: 1.0.2
Recommendation

The publisher should align the registry and SKILL.md versions; users can verify they are installing the intended release.