Back to skill
Skillv1.2.1
ClawScan security
Openclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 3:54 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, required binaries, and requested API key match its stated purpose (provisioning and querying an AI phone agent) and do not request unrelated access, but the package has no homepage or known publisher so you should only install if you trust the AgentIzzy service.
- Guidance
- This skill appears internally consistent: the scripts only call https://api.agentizzy.com and require one API key. Before installing, verify you trust AgentIzzy (there's no homepage or known publisher listed). Do not reuse a high-privilege secret—create and use a dedicated AGENTIZZY_API_KEY, review the provider's privacy/security policy for call recordings and transcripts, restrict webhook endpoints you register, and rotate/delete the key if you stop using the skill. If you need higher assurance, ask the publisher for a homepage, source repo, or published documentation and confirm the api.agentizzy.com endpoints and key format.
Review Dimensions
- Purpose & Capability
- okName/description (AI phone agent) align with the files and actions: scripts register, provision agents, and query calls/leads via api.agentizzy.com using an AGENTIZZY_API_KEY. Required binaries (curl, python3) are appropriate for the tasks.
- Instruction Scope
- okSKILL.md and the scripts limit themselves to interacting with api.agentizzy.com and do not read local files or unrelated environment variables. Commands are concrete (curl POST/GET) and parameters are scoped to agent provisioning, calls, leads, and webhooks.
- Install Mechanism
- okThis is instruction-only with small shell scripts; nothing is downloaded or installed by the skill. No archive downloads, no non-standard install locations, and no extract operations—low install risk.
- Credentials
- noteOnly AGENTIZZY_API_KEY is required and is the expected credential for the described API. This is proportionate. Note: the skill's source/homepage is missing; you must trust the external service that will receive the key and call data.
- Persistence & Privilege
- okThe skill does not request permanent/always-on privileges and does not modify other skills or system config. It can be invoked by the agent (normal), but nothing in the package grants extra platform privileges.