Back to skill
Skillv1.0.2
ClawScan security
justinX · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 5:28 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a third‑party MCP integration for streaming data; it asks only for an API key and provides MCP config steps, with no install or unexplained privileges.
- Guidance
- This skill appears coherent for connecting streaming data to your agent, but it connects your agent to an external service (justinx.ai) and requires storing an API key in your MCP config. Before installing: 1) Verify the justinx.ai service and repository (the included metadata points to https://justinx.ai and a GitHub repo) so you trust the vendor. 2) Prefer creating a limited-scope API key and rotate/revoke it if needed. 3) Avoid placing keys in world-readable config files — use your agent's secret storage or OS keyring if available. 4) Be aware that streaming data (and any watcher scripts you run) will flow to a third party; do not send sensitive or regulated data until you confirm compliance and privacy details. 5) Test with the provided demo connection and non-sensitive data first.
Review Dimensions
- Purpose & Capability
- okThe skill claims to connect MQTT/Kafka/webhooks via an MCP endpoint and only requests a JUSTINX_API_KEY which is exactly what an external API-backed streaming service would need. The listed tools (create_connection, read_stream, watchers, WebSocket URLs) match the stated purpose.
- Instruction Scope
- noteThe SKILL.md instructs the agent/user to add JustinX to MCP settings (examples reference .claude/settings.json and ~/.openclaw/openclaw.json) and to include an Authorization header with the API key. This is expected for an MCP-backed skill, but it requires storing the API key in agent config files (plaintext in examples). The instructions do not ask the agent to read unrelated system files or other credentials.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only. That minimizes disk write/execute risk; nothing is downloaded or installed by the skill itself.
- Credentials
- noteOnly one environment secret (JUSTINX_API_KEY) is required, which is proportional to an external API integration. Caveat: the SKILL.md examples show adding the API key into local MCP config files, which can expose the key if those files are not protected. No other unrelated credentials are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable / can be called autonomously (platform default). The skill asks the user to add an MCP server entry (normal for MCP integrations) but does not request any elevated or system-wide privileges beyond that.