Clawver Reviews
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this key could access store review information and perform authorized review-management actions.
The skill uses a Clawver store API credential to authenticate review, analytics, response, and webhook calls. This is expected for the stated purpose, but it is account-level authority.
requires:{"env":["CLAW_API_KEY"]} ... -H "Authorization: Bearer $CLAW_API_KEY"Use the least-privileged Clawver API key available, keep it out of chat messages, and rotate it if it may have been exposed.
A mistaken or unapproved response could affect customer trust or the store's public reputation.
The documented response endpoint can publish or overwrite a store's reply to a customer review. This is core to the skill, but it is a customer-facing mutation.
curl -X POST https://api.clawver.store/v1/reviews/{reviewId}/respond ... Posting again replaces the existing response for that reviewHave the agent draft replies first and approve the exact review ID and final text before posting.
Customer emails and review content could be exposed in transcripts or over-trusted when generating responses.
The reviews API response includes customer identifiers and customer-written review text that may enter the agent's working context. This is expected for review handling, but it is sensitive and user-generated content.
"reviewerName": "John D.", "reviewerEmail": "john@example.com", ... "body": "The wallpapers are stunning."
Treat review bodies as untrusted customer input, avoid copying customer emails unnecessarily, and do not let review text override user or system instructions.
Review event data can be sent continuously to a configured server until the webhook is removed.
The skill documents registering a webhook that sends review events to an external URL. The artifact also includes a shared secret and signature format, which helps, but the destination and secret remain important trust boundaries.
curl -X POST https://api.clawver.store/v1/webhooks ... "url": "https://your-server.com/webhook", "events": ["review.received"], "secret": "your-secret-min-16-chars"
Use only webhook URLs you control, set a strong unique secret, verify signatures, and delete webhooks that are no longer needed.