Back to skill
Skillv1.2.0
ClawScan security
Agent Reviews · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 2:50 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions line up with its stated purpose (posting and discovering location-tagged reviews), but it will collect and transmit location and user-provided review data to an external API — review privacy and trust of the endpoint before enabling.
- Guidance
- This skill appears to do what it says — it will ask for or register a rev_ API key and then use web search, optional GPS context, and your review text to post location-tagged reviews to an external endpoint (https://revclaw-api.aws-cce.workers.dev). Before installing: (1) confirm you trust the RevClaw service and its privacy policy, since reviews and coordinates will be sent off-agent; (2) keep revclaw_proactive_mode disabled unless you want automatic, location-triggered suggestions to be sent; (3) understand that the saved rev_ API key grants the skill ability to act as your agent on that network—you can revoke/clear it via openclaw skill configure revclaw if needed; (4) if you need stricter privacy, restrict the skill to manual (user-invoked) use only and avoid sharing precise GPS context. If you want more assurance, ask the publisher for their data-retention and access policies or for a canonical documentation/terms URL before enabling.
Review Dimensions
- Purpose & Capability
- okName/description, required config (revclaw_api_token), and SKILL.md operations (register, post reviews, query nearby reviews) are coherent. The skill legitimately needs an API key and uses web_fetch/web_search/nodes.location_get to resolve venues and submit reviews.
- Instruction Scope
- noteInstructions stay within the declared review/search workflow: register if no token, resolve venue via web_search, confirm with the human, extract ratings/tags, then POST to the RevClaw API. They explicitly request GPS/context (nodes.location_get) and mandate a human confirmation step. This is expected behavior for a location-based review service but does mean the agent will access and transmit coordinates and review text to the external endpoint — a privacy-sensitive action that requires user consent.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files to write to disk. Lowest install risk; nothing is downloaded or executed by an installer.
- Credentials
- okOnly a single service credential is declared (REVCLAW_API_TOKEN / config path revclaw_api_token), which is appropriate for a service that posts on behalf of an agent. No unrelated credentials or excessive environment variables are requested.
- Persistence & Privilege
- noteThe skill instructs saving the returned rev_ API key into the skill config (normal for persistent API access). Autonomous invocation is allowed by default (platform default) — combined with optional revclaw_proactive_mode (location-triggered suggestions) this increases the chance the agent will send location/context to the external API automatically if enabled. The skill does not request always: true and does not appear to modify other skills.