ClawHub
Back to skill
v1.0.0

Go2.gg

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:13 AM.

Analysis

This is a straightforward Go2.gg API guide, but it can use a Go2.gg API key to create, edit, list, or delete links in the user's account.

GuidanceBefore installing, be comfortable giving the agent access to a Go2.gg API key and review any create, update, or delete operation carefully, especially for public or business-critical short links.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
### Update a Link ... curl -X PATCH ... ### Delete a Link ... curl -X DELETE

The skill documents API calls that can modify or delete Go2.gg links. This is purpose-aligned, but mistakes could affect live short links.

User impactIf used on the wrong link ID, the agent could change where a short link redirects or remove it from the account.
RecommendationConfirm the exact link ID, destination URL, and intended action before running update or delete requests.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The package has limited provenance metadata, although no runnable code or install-time dependency is present in the supplied artifacts.

User impactUsers have less registry-level information for verifying who published the skill, but the artifact does not include hidden install code.
RecommendationVerify Go2.gg API documentation and the publisher before trusting the skill with an API key.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Requires GO2GG_API_KEY env var ... Auth: `Authorization: Bearer $GO2GG_API_KEY`

The skill expects a bearer API key for Go2.gg account access. This credential use is disclosed and fits the service, but it enables account-level API operations.

User impactAnyone or any agent using this key may be able to manage links and view analytics permitted by the Go2.gg account.
RecommendationUse a scoped or revocable API key if Go2.gg supports it, store it securely, and revoke it if the skill is no longer needed.