Skillv1.0.0

ClawScan security

Poe Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 10:30 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs are coherent with a Poe API orchestration purpose, but there are notable metadata inconsistencies (the registry listing omitted the required POE_API_KEY) and a few operational risks you should review before installing (external API key use, billing risk, and unknown source).
Guidance: Key points to consider before installing: - Metadata mismatch: The registry summary reported no required env vars, but skill.json and scripts/poe_client.py require POE_API_KEY. Ask the publisher to fix the metadata or confirm the requirement. - Provide a scoped/dedicated Poe API key: Use a dedicated account/key with monitoring and spending limits (if Poe supports them). Calls to the Poe API can incur costs and the skill will make outbound requests using your key. - Validate origin and trust: The skill source is listed as unknown. If you don't trust the author, review the included scripts/poe_client.py yourself (it is small and readable) or run it in an isolated environment first. - Install only the declared dependency: requirements.txt lists openai>=1.0.0. Prefer installing in a virtualenv/container and inspect network calls during initial tests. - Test in sandbox: Run example scripts in a sandbox and confirm behavior (which models are actually reachable via your Poe account) and confirm there are no unexpected outbound endpoints beyond the configured base_url. - Monitor usage and billing: Because the skill selects and calls potentially expensive models automatically, implement call limits, logging, and alerts for unexpected usage. What would change this assessment: If the registry metadata is corrected to declare POE_API_KEY and the publisher identity is verified (homepage/source), the package would appear coherent and likely 'benign'. If you find other undeclared secrets or unexpected network endpoints in the code, the verdict would escalate.

Review Dimensions

Purpose & Capability: noteThe skill's name and documentation claim Poe API orchestration and model selection; the code (scripts/poe_client.py) implements an OpenAI-compatible client that reads POE_API_KEY and calls a Poe base_url. Requiring a Poe API key and the openai package is proportionate to the stated purpose. However, the registry summary at the top of the package metadata erroneously listed "Required env vars: none" while skill.json and the code both declare and enforce POE_API_KEY — this metadata mismatch is an incoherence to resolve.
Instruction Scope: okSKILL.md and README document usage patterns and explicitly instruct reading MODEL_SELECTION_GUIDE.md. Runtime instructions and examples only call the client methods and request model queries (text, image, video, audio). The instructions do not ask the agent to read arbitrary system files, secrets, or to transmit local files elsewhere. They do, however, require that the POE API key be provided and that the openai client be available.
Install Mechanism: okThe skill is instruction-only in registry (no platform install spec) but includes Python code and a requirements.txt (openai>=1.0.0). There is no download-from-URL or arbitrary archive extraction. The only installation action is installing the openai package via pip, which is proportionate and traceable.
Credentials: concernThe code and skill.json require a POE_API_KEY (secret) and will use it to authenticate requests to https://api.poe.com/v1. That credential is appropriate for the claimed integration, but the top-level registry metadata incorrectly claimed no required env vars — an inconsistency that could mislead users. Also note: any API key gives the skill access to an external account (billing and data) so you should provide a dedicated key with monitoring and consider rate/cost limits.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It does not attempt to persist credentials beyond using environment variables. Autonomous invocation is allowed (default platform behavior) but not combined with other high-privilege requests in this package.