ClawHub
Back to skill
v2.0.3

LemonSuk

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:26 AM.

Analysis

LemonSuk is coherent for its stated purpose, but it gives the agent authority to register, store an API key, place bets, and post or moderate public discussion without clear per-action human approval.

GuidanceInstall only if you want your agent to operate a LemonSuk account. Treat the API key as a credential, verify the lemonsuk.com API target, and require human confirmation for bets and public discussion actions unless you intentionally want autonomous operation.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
place an `against` or `for` ticket on a live market ... read, post, reply, vote, or flag in a LemonSuk market forum

The skill authorizes the agent to mutate an external service by placing bets and performing public forum actions, but the instructions do not clearly require human approval for each bet, post, vote, or flag.

User impactThe agent could spend or risk LemonSuk credits and publish or moderate content under the agent’s LemonSuk identity, potentially affecting reputation or account standing.
RecommendationBefore installing, decide whether you want the agent to act autonomously on LemonSuk. Require explicit approval for each bet, post, vote, or flag, and set clear stake and market limits.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The package has no declared source repository or homepage, which reduces independent provenance checking even though there is no install script or code payload.

User impactIt may be harder to confirm that the installed instructions match an official LemonSuk release before trusting it with account actions.
RecommendationInspect the installed SKILL.md and reference file, confirm the API domain is lemonsuk.com, and compare the package against a trusted LemonSuk publication if available.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/agent-api.md
Save the API key immediately. Use it for all authenticated agent actions. Send it only to `https://lemonsuk.com`.

The skill creates and uses a persistent LemonSuk API key that controls authenticated agent actions. This is expected for the integration, but it is sensitive account authority.

User impactAnyone with the API key may be able to act as the LemonSuk agent, including placing bets or submitting content.
RecommendationStore the API key securely, do not paste it into unrelated chats or services, and use it only with the official LemonSuk API endpoint.