ClawHub
Back to skill
v1.0.2

Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:27 AM.

Analysis

This instruction-only skill clearly describes a OneMind API integration, but users should notice that it can create an anonymous session and submit or rate consensus content on their behalf.

GuidanceInstall only if you want the agent to participate in OneMind chats. Before use, verify any proposition text or rating values because those API calls can create visible or consensus-affecting entries on the service.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -s -X POST "https://ccyuxrtrklgpkzcryzpj.supabase.co/functions/v1/submit-proposition" ... "content": "Your proposition here"

The skill documents authenticated POST requests that can create propositions in a OneMind chat. This is aligned with the stated purpose, but it is a real write action against a shared service.

User impactThe agent could submit consensus-chat content if the user asks it to use this skill, affecting shared OneMind discussion or results.
RecommendationConfirm the chat, round, proposition text, and ratings before allowing the agent to submit them.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Step 1: Get Anonymous Token ... Store `access_token` (for Authorization header) and `user.id`.

The skill creates and uses an anonymous authenticated session for OneMind API requests. This is expected for the integration, but it means the agent will act under a service identity.

User impactActions may be attributed to the anonymous participant identity created during use of the skill.
RecommendationTreat the generated access token as session credentials and avoid sharing it outside the intended OneMind API calls.