Skillv1.1.2

ClawScan security

uexcorp-sc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 8:26 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose — a Star Citizen trade advisor that talks to the UEXcorp API and only requests a UEXcorp API token — with a minor documentation inconsistency about a separate "secret-key" for marketplace listings.
Guidance: This skill appears to do what it claims and only needs your UEXcorp API token. Before installing: 1) Obtain the token from the official UEXcorp apps page and put it into your agent's config only if you trust the skill. 2) If you plan to create marketplace listings, note the SKILL.md mentions a separate 'secret-key' header but does not tell you how to supply it — find out from UEXcorp whether you need to generate an additional key and where to store it in your skill config. 3) Use is_production=0 (sandbox) when testing listing/image uploads to avoid accidental public posts and to troubleshoot image format issues. 4) Be cautious about uploading images that contain personal or sensitive information because the agent will process them. 5) Because this is instruction-only, no binaries will be installed, but the agent will make network calls to api.uexcorp.space — verify that domain is correct and that you're comfortable sharing your UEXcorp token with the agent. If you want a stricter posture, disable autonomous invocation for this skill or only invoke it manually.

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md documents API endpoints for market queries, route optimization, contributions, and listings against api.uexcorp.space. The declared required config path (uexcorp.apiToken) aligns with the described Bearer token authentication.
Instruction Scope: noteInstructions are focused on calling the UEXcorp API and include examples and rate-limit guidance. They reference using the agent's vision capability for image-to-listing flows (expected for image uploads). One inconsistency: the docs describe sending a separate 'secret-key' header for marketplace_advertise but the skill does not declare where that key is supplied (not listed in requires.config).
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill itself.
Credentials: noteThe skill only requests a single config path (uexcorp.apiToken), which is proportionate. However, the SKILL.md also refers to a distinct 'secret-key' required for marketplace posts but does not declare it as a required config/environment value, which is an omission the user should be aware of.
Persistence & Privilege: okNo elevated privileges requested. always is false and the skill does not require altering other skills or system-wide settings. Autonomous invocation is enabled by default (normal) but not combined with other red flags.