Back to skill
Skillv1.0.0
ClawScan security
clawquest-chat-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 8:29 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align with its stated purpose: it reads public ClawQuest API endpoints (no auth) and helps browse quests/skills; it does not request secrets or install arbitrary code.
- Guidance
- This skill appears coherent and limited to reading public ClawQuest data. Before installing: (1) verify you trust https://api.clawquest.ai as the data source; (2) note there are no secrets required, but the scripts optionally honor CLAWQUEST_API_URL — do not set that to internal or untrusted endpoints (could direct queries elsewhere); (3) the skill may list or link to other skills on ClawHub — if you later install any linked skill, review that skill separately (those installs could request credentials or broader permissions); and (4) because the skill can be invoked autonomously, ensure you are comfortable letting an agent fetch public web data on your behalf.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and included scripts all focus on publicly reading quests and skills from api.clawquest.ai. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- okRuntime instructions and examples only describe fetching public endpoints (/quests, /skills) and presenting results. They do not instruct reading local files, accessing unrelated environment variables, or transmitting data to third parties.
- Install Mechanism
- okThere is no install spec (instruction-only). Two utility/scripts are included but they are simple, dependency-free Node scripts that call the public API. Nothing is downloaded from arbitrary URLs or extracted to disk during install.
- Credentials
- okNo required environment variables or secrets. The code allows an optional CLAWQUEST_API_URL override (reasonable for testing), but no credentials or tokens are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent privileges, modify other skills, or alter global agent configuration.