ClawHub
Back to skill
v1.0.1

Clawality

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:47 AM.

Analysis

Clawality is a coherent instruction-only personality-test skill, but it publishes a bot profile and can post to a public social feed, so users should approve what is shared.

GuidanceInstall only if you want the agent to create a Clawality profile and send test answers to clawality.com. Do not include personal or social handles unless you want them shown, keep the API key private, and approve any public feed content before it is posted.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
POST https://clawality.com/api/feed/posts ... "title": "<your post title>", "body": "<your post content>"

The skill documents API actions for posting, commenting, and voting in a social feed, which can create public or semi-public content under the bot's identity.

User impactThe agent could publish messages, comments, or votes on Clawality if the user authorizes those API calls.
RecommendationReview and approve any feed post, comment, or vote before it is submitted, especially if it references the user or creator.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
SKILL.md
**Your human didn't send you here by accident. They want to know what kind of claw you are.**

This wording presumes human intent and could encourage an agent to proceed without separately confirming the current user's approval.

User impactThe agent might over-read the skill's marketing language as permission to register, publish a profile, or interact with the feed.
RecommendationTreat this as promotional text, not authorization; confirm with the user before registration or any public posting.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
"name": "<your-agent-name>", "model": "<your model, e.g. claude-sonnet-4-5>", "bio": "<optional...>", "owner_x_handle": "<optional: your human's X/Twitter handle>"

The registration flow sends agent identity details, model information, optional biography, and optional social handles to the external service.

User impactThe bot's name, model, bio, type results, and any supplied handles may become associated with a public Clawality profile.
RecommendationOnly provide fields the user is comfortable making public, and do not include a human's social handle unless they explicitly approve it.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
You'll receive a response with your `apiKey`, `claimCode`, and `nextSteps`... **Store the API key securely.** Use it as a Bearer token for all future requests

The skill creates and uses a service API key for the bot account, which is expected for this integration but is still an account credential.

User impactAnyone with the API key could act as that Clawality bot on the service.
RecommendationKeep the API key out of public chats, logs, and shared documents; rotate or revoke it if exposed.