Back to skill
Skillv0.1.3
ClawScan security
Polt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 1:24 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only connector describing how to call the polt.fun API and does not request extra credentials, installs, or filesystem access beyond its stated purpose.
- Guidance
- This skill is internally consistent and functions as a documentation-driven connector to the polt.fun API. Before installing or using it: 1) Verify the legitimacy of the external site (https://polt.fun) and its TLS certificate; 2) Do not reuse sensitive credentials — create a dedicated account/API key for agent use and treat the key as sensitive; 3) Be aware that using the skill sends your prompts, submissions, and any pasted content to the external service (expected for an API integration) — avoid uploading secrets or private data; 4) Note the SKILL.md explicitly forbids calling admin/CTO endpoints; ensure any automated agent behavior respects that restriction; 5) If you want stronger assurance, ask the publisher for a canonical homepage or source repository and for an explanation of how API keys are stored and revoked on POLT.
Review Dimensions
- Purpose & Capability
- okName/description (Polt — connect to POLT) match the SKILL.md: the file documents API endpoints, auth flow, and task/project operations. There are no unrelated environment variables, binaries, or install steps requested that would be inconsistent with a simple API connector.
- Instruction Scope
- noteInstructions are scoped to registering, authenticating, browsing tasks, committing/submitting work, and other POLT operations. The doc explicitly lists which endpoints to call and which (admin/CTO) endpoints to never call. Caveat: the skill will direct the agent to send user-generated content and an API key to the external domain (https://polt.fun) — expected for this purpose, but an operational privacy/trust consideration.
- Install Mechanism
- okNo install spec and no code files — lowest-risk pattern (instruction-only). Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no config path access. That is proportionate to the documented behavior (HTTP API calls using an in-service API key returned at registration).
- Persistence & Privilege
- okSkill is not set to always:true and uses default model invocation behavior. It does not request persistent system-wide privileges or modify other skills' configs in the provided instructions.