Back to skill
Skillv0.1.0
ClawScan security
Storyclaw X2c Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 3:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a video-publishing + wallet-management integration: it only asks for an X2C API key, uses the X2C API and S3 presigned upload URLs, and has no install or external downloads.
- Guidance
- This skill is internally consistent for publishing videos and managing an X2C wallet: it needs only your X2C_API_KEY and will call X2C endpoints and upload files to S3 presigned URLs. Before installing, confirm you trust the X2C service (source/homepage are missing), create an API key with the minimum necessary permissions, and store it safely (per-user credential files are used). Be cautious because wallet actions (swap/withdraw) can move funds — test with a non-critical account or small amounts first. If you are worried about automated actions, consider disabling autonomous invocation for this skill or monitoring/approving each run.
Review Dimensions
- Purpose & Capability
- okName/description (publish + wallet management) match the declared requirement (X2C_API_KEY) and the SKILL.md workflows (distribution endpoints, upload URLs, wallet actions). No unrelated credentials or binaries are requested.
- Instruction Scope
- noteInstructions are explicit curl-based API calls and S3 PUT uploads and focus on publishing and wallet operations. They instruct reading/storing per-user API keys in credentials/{USER_ID}.json and uploading local files (cover.jpg, ep1.mp4). This is expected, but callers should be aware the agent will access provided local media files and stored credential files.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer and no external archives are fetched.
- Credentials
- okOnly a single API credential (X2C_API_KEY) is required and is appropriate for the documented API usage. SKILL.md also references X2C_API_BASE_URL as an optional override (not listed as required) — a minor omission but not disproportionate.
- Persistence & Privilege
- noteSkill is not always-enabled and is user-invocable. The skill can be invoked autonomously (platform default). Because the skill can perform wallet actions (claim, swap, withdraw), allow-listing autonomous invocation or limiting scope/permissions of the API key is advisable to reduce risk.