Skillv1.0.0

ClawScan security

Onemind Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's docs and test script mostly match a OneMind Supabase integration, but there are notable inconsistencies (undeclared API key usage, embedded/partial tokens, and prompt-injection pattern) that don't add up and deserve clarification before use.
Guidance: Before installing or enabling this skill, verify these points with the publisher: - Confirm what API key(s) are actually required. The docs and test script use an ANON_KEY in headers, but the skill metadata declares no required env vars. Ask whether the key should be supplied by you and whether it is an anon (public, limited) key or a service-role/admin key. Never provide a service-role key to a third-party skill. - The docs include long base64/JWT-like strings and a truncated token. Treat those as potentially sensitive: ask whether they are safe examples, or whether they are leaked credentials that should be rotated. If any real keys are embedded, do not use them. - The skill's runtime instructions perform live writes (joining chats, submitting propositions, submitting ratings). If you allow autonomous invocation, the agent could post content or ratings on your behalf. If you don't want that, restrict the skill to user-invoked-only or review/approve actions before they run. - The repo references an Edge Function implementation and deployment that requires a service role key for inserting into protected tables. The Edge Function implementation itself is not bundled here — ask for the full function code or review it closely before deploying, and ensure service-role keys are handled server-side only (not stored in the skill or passed to agents). - Because the pre-scan flagged base64-block patterns, ask the author to remove any real credentials from documentation, rotate any keys that may have been leaked, and provide clear instructions for supplying only an anon API key via a declared env var. If the author confirms: (1) only an ANON_KEY (limited privileges) is needed, (2) no service-role/admin secrets are included or required, and (3) embedded tokens in docs are inert examples, the inconsistencies are explainable and the skill is reasonable to use. Without that clarification, treat the skill cautiously.
Findings: [base64-block] unexpected: The SKILL.md and other files include long base64-like strings and truncated tokens (example apikey/JWT-like strings and a 'Token Mint' fragment). These look like secret material or example tokens embedded inline; that is not necessary for describing API usage and could indicate accidental token leakage or an attempt to include data that might influence an automated evaluation.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes a OneMind client (join chat, submit propositions, batch-submit ratings) and all files (EDGE_FUNCTION_SPEC, DEPLOYMENT, tests) align with that purpose. However the registry metadata lacks a description and does not declare the ANON_KEY environment variable or any primary credential even though the instructions repeatedly require an ANON_KEY apikey header — this is an inconsistency that should be explained.
Instruction Scope: concernRuntime instructions instruct the agent to perform anonymous auth, store access_token and user.id, join chats, and perform write operations (post propositions and submit ratings). Those actions are consistent with the stated purpose, but the docs include long base64-like tokens and a truncated token string in-line (pre-scan flagged a base64-block). The SKILL.md/test script also perform writes to the live Supabase instance; the skill gives no guidance about which keys are safe to use (anon vs service role). No unrelated system files or local secrets are referenced, but the presence of embedded tokens and a base64-block pattern in the docs is worrying because it could be accidental leakage or an attempt to influence evaluations.
Install Mechanism: okThere is no install spec — instruction-only plus documentation files and a bash test script. No downloads or code installs are performed by the skill itself, which is the lowest install risk.
Credentials: concernSKILL.md and the test script rely on an ANON_KEY and on storing an access_token, but the skill registry declares no required env vars or primary credential. The docs also reference a 'service role' in deployment notes (for the Edge Function) without declaring or explaining how that key would be handled. Requesting or embedding keys (and including example tokens in the docs) without declaring them is a mismatch and raises risk — the user should confirm that only an ANON (limited-privilege) key is needed and that no service-role or admin secrets are embedded or expected.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-level persistence. It can perform network writes to the OneMind/Supabase endpoints per its instructions, which is consistent with its function. Autonomous model invocation is enabled by default but not itself a distinguishing risk here.