Skillv1.0.1

ClawScan security

FiberAgent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 8:29 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, docs, and runtime instructions are internally consistent with its stated purpose (searching an external cashback API and returning affiliate links); it does call external endpoints and requests a wallet address for registration, but it does not request unrelated credentials or perform unexpected local access.
Guidance: This skill appears to do what it says: it forwards user search queries and an agent/wallet identifier to fiberagent.shop and returns affiliate links with crypto cashback. Before installing: (1) confirm you trust https://fiberagent.shop and its operator (review the linked GitHub repo and site), (2) do not provide private keys or other secrets — only supply a public wallet address for earnings, (3) be aware that user queries will be sent to an external service (privacy consideration), and (4) if you want to limit exposure, use a dedicated or throwaway wallet address for agent earnings and avoid storing sensitive secrets in your OpenClaw config file.

Review Dimensions

Purpose & Capability: okName/description match the delivered functionality: the skill wraps calls to https://fiberagent.shop to search products, register an agent, and fetch stats. It does not request unrelated credentials or binaries. One minor note: the README suggests adding your agentId/wallet to ~/.openclaw/openclaw.json (a user config path) — that is a recommended configuration step, not a hidden requirement.
Instruction Scope: noteSKILL.md instructs the agent to send user search keywords and agent_id/wallet address to fiberagent.shop endpoints (search, register, stats, MCP). This is expected for a shopping/affiliate skill, but it means user queries and the wallet address will be transmitted to an external service; the instructions do not attempt to read local secrets or unrelated files.
Install Mechanism: okThere is no automated install spec (instruction-only install). The README gives local install instructions (copy skill into ~/.openclaw/workspace/skills) which is normal for OpenClaw. No remote downloads or archive extraction are performed by the skill itself.
Credentials: okThe skill declares no required environment variables or credentials. It asks the user to provide an agent ID and wallet address for registration/earnings, which is proportional to its affiliate payment purpose. It does not request private keys or unrelated tokens; however, storing a wallet address in a config file is recommended in docs and users should avoid storing private keys or secrets there.
Persistence & Privilege: okalways:false and the skill does not request elevated platform privileges. The README suggests enabling the skill in the user's OpenClaw config but does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but that is appropriate for this kind of tool.