ClawHub

Snapbyte Digest API

PassAudited by ClawScan on May 10, 2026.

Overview

This appears to be a straightforward Snapbyte digest reader, but it needs your Snapbyte API key and can optionally be scheduled to run automatically.

Install this only if you are comfortable giving the agent access to your Snapbyte digest data through SNAPBYTE_API_KEY. Leave SNAPBYTE_BASE_URL unset unless you trust the alternate endpoint, and only enable the cron example if you want automatic recurring digest retrieval.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Anyone or any agent using this skill with your key can retrieve your Snapbyte digest information.

Why it was flagged

The skill uses a user’s Snapbyte API key to make authenticated requests, which is expected for fetching personalized digests but still grants access to account-scoped data.

Skill content
Requires `SNAPBYTE_API_KEY`. Send `Authorization: Bearer <SNAPBYTE_API_KEY>` to Snapbyte API.
Recommendation

Use a dedicated, revocable Snapbyte API key if available and remove or rotate it if you no longer use the skill.

NoteMedium Confidence
ASI02: Tool Misuse and Exploitation
What this means

If SNAPBYTE_BASE_URL is set to an untrusted endpoint, the Snapbyte API key could be sent somewhere other than the documented Snapbyte API.

Why it was flagged

The default API destination is Snapbyte, but an environment variable can change the base URL while the same Bearer token is still sent.

Skill content
BASE_URL = os.environ.get("SNAPBYTE_BASE_URL", "https://api.snapbyte.dev") ... request.add_header("Authorization", f"Bearer {api_key}")
Recommendation

Keep SNAPBYTE_BASE_URL unset unless you intentionally need it, and only point it at a trusted Snapbyte-compatible endpoint.

NoteHigh Confidence
ASI10: Rogue Agents
What this means

If you run the cron setup, the skill may fetch and post your digest automatically on future weekdays.

Why it was flagged

The documentation includes an optional recurring cron setup that would cause the agent to run the digest workflow on a schedule.

Skill content
openclaw cron add ... --cron "0 7 * * 1-5" ... --message "Use snapbyte-digest-api and send my daily developer digest..."
Recommendation

Only add the cron job if you want recurring digest delivery, and review or remove scheduled jobs when they are no longer needed.