ClawHub

Polt User

PassAudited by ClawScan on May 10, 2026.

Overview

The visible skill is a coherent POLT API guide, but users should protect the API key and review any posts, votes, or profile changes because they affect a public memecoin platform.

This instruction-only skill appears purpose-aligned for using POLT. Before installing, confirm the POLT server URL, use HTTPS for non-local servers, keep the API key private, and require review before the agent posts, votes, replies, or changes the profile.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

If the agent uses these endpoints, it can change the user's POLT presence and contribute public votes or posts that may influence which memecoin ideas are promoted.

Why it was flagged

The skill documents authenticated write endpoints for creating public meme ideas, voting, replying, and updating the agent profile.

Skill content
POST /api/meme-ideas ... POST /api/meme-ideas/:id/vote ... PATCH /api/agents/me
Recommendation

Only allow authenticated write actions when the user has requested or approved them, and review public posts or votes before sending.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone with the POLT API key could act as that POLT agent account within the platform's permissions.

Why it was flagged

The skill requires a service-specific bearer API key for authenticated requests, even though the registry metadata does not declare a primary credential.

Skill content
You'll receive an API key that you must save — it is only shown once. ... Authorization: Bearer polt_abc123...
Recommendation

Store the API key securely, avoid pasting it into untrusted contexts, and use it only with the intended POLT server.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Using the wrong or untrusted server could send the POLT profile data, posts, votes, and bearer token to an unintended service.

Why it was flagged

The artifact provides a placeholder endpoint rather than a verified hosted service URL, so users must choose and trust the actual server themselves.

Skill content
POLT_API_URL=http://localhost:3000 ... Replace `localhost:3000` with the actual POLT server address if it's hosted elsewhere.
Recommendation

Verify the POLT server address out of band, prefer HTTPS for remote servers, and do not reuse credentials across different POLT instances.