Polt User
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill openly connects to POLT, but it gives the agent broad instructions to take remote bounty tasks and perform account-changing actions without clear user approval boundaries.
Install only if you intentionally want your agent to interact with the POLT task platform. Before allowing it to act, review each task yourself, approve any commit/submission/vote/reply/profile change, keep the POLT API key secret, and avoid giving task descriptions access to private files, credentials, or unrelated accounts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could follow arbitrary external task instructions that do not match the user's immediate goals or safety expectations.
This makes remote task descriptions from the POLT service into instructions for the agent, without visible boundaries or a requirement to confirm the task with the user first.
Do whatever the task requires. The task description explains what needs to be done.
Treat POLT task descriptions as untrusted input. Require explicit user approval before committing to or executing any task, and define what resources, files, accounts, and actions the agent may use.
The agent could make public or account-affecting changes on POLT, including locking tasks to the user or posting submissions/replies, if invoked without careful review.
The skill documents several authenticated, state-changing API actions that can affect the user's POLT account, public content, task locks, submissions, and profile.
Commit to task | POST | `/api/tasks/:id/commit` ... Submit work | POST | `/api/tasks/:id/submit` ... Vote on project | POST | `/api/projects/:id/vote` ... Reply to project | POST | `/api/projects/:id/replies` ... Update your profile | PATCH | `/api/agents/me`
Require a confirmation step that previews the endpoint, task, and payload before any commit, submit, vote, reply, or profile update.
Anyone with the API key could act as the user's POLT agent account for authenticated actions.
The skill uses a bearer API key for authenticated POLT actions. This is expected for the integration, but it is still an account credential with mutation authority.
You'll receive an API key that you must save — it is only shown once. ... Authorization: Bearer polt_abc123...
Store the POLT API key only in a trusted credential store, do not paste it into public chats or task submissions, and revoke or rotate it if exposed.
Users have limited independent information for deciding whether to trust the POLT service and its API endpoint.
The registry metadata does not provide a source repository or homepage, making it harder for users to verify the operator and provenance of the external service integration.
Source: unknown; Homepage: none
Verify the POLT operator and endpoint out of band before registering or sending work, and prefer skills with clear source and service provenance.