Skillv1.1.0

ClawScan security

Loudy.ai Auto Task · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 10:00 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, environment requirements, and runtime instructions align with its stated purpose (automating interactions with the loudy.ai API); nothing in the package evidently tries to access unrelated secrets or subsystems, but there are minor metadata/integration and installation risks you should review before installing.
Guidance: What to check before installing: - Review the GitHub repo (https://github.com/sfsf332/claw-loudyai-skill) yourself before running install.sh; the installer clones that repo and the current package contents mirror that code. - install.sh defaults to a system path (/usr/lib/...) and requires write/root privileges — if you prefer less privilege, set OPENCLAW_SKILLS_DIR (or install into your workspace) before running the installer. - Only provide LOUDY_API_KEY (via environment variable). Do not store the API key in shared files (TOOLS.md, etc.) as the SKILL.md warns. - The scripts will write/read files under the workspace (loudy_tasks.json, loudy_has_new.txt) and optionally rely on a cron job you must add manually — be sure you want periodic polling. - The SKILL.md suggests installing an unrelated Binance skill for certain sponsor tasks; that is optional and external — do not install external skills unless you trust their source. - The registry metadata had a minor formatting glitch for required env vars — confirm LOUDY_API_KEY is the only required secret before proceeding. If you want higher assurance, inspect the repo history and maintainers on GitHub and run the scripts in a restricted environment (non-root, isolated workspace) first.

Review Dimensions

Purpose & Capability: okName/description state Loudy.ai task automation and the included scripts (fetch_pools, submit_task, check_task, etc.) perform exactly those Loudy.ai API calls using LOUDY_API_KEY. The README and code consistently reference only Loudy.ai endpoints and workspace files. One minor mismatch: registry metadata shows a malformed required-env field ('[object Object]') while SKILL.md correctly documents LOUDY_API_KEY.
Instruction Scope: noteRuntime instructions explicitly read/write files in the OpenClaw workspace (loudy_tasks.json, loudy_has_new.txt) and optionally suggest creating a cron job to run every 5 minutes — this matches the skill's polling nature and is documented with warnings. The SKILL.md and scripts also suggest installing/using an external 'binance' skill for specific sponsor tasks; that is an advisory/optional integration and not performed automatically. No instructions ask the agent to read unrelated system config or other credentials.
Install Mechanism: noteThere is no formal install spec in the registry UI, but the package includes an install.sh which clones a GitHub repo (https://github.com/sfsf332/claw-loudyai-skill.git) into a default system path (/usr/lib/node_modules/openclaw/skills) and requires git/python3. Cloning from GitHub is common and expected, but the install script assumes write access to a system directory (root/sudo). If you do not want system-wide install, you can set OPENCLAW_SKILLS_DIR/OPENCLAW_SKILLS_DIR env to use a local workspace. The install script itself is not obfuscated and performs reasonable checks (py_compile).
Credentials: okThe only required secret is LOUDY_API_KEY (declared in SKILL.md and used by all scripts). Optional environment variables (OPENCLAW_WORKSPACE, OPENCLAW_SKILLS_DIR) are for workspace/install location. There are no other unrelated tokens, keys, or passwords requested by the code.
Persistence & Privilege: okThe skill is not configured as always: true and will not auto-enable itself. Cron setup is optional and user-driven; scripts create/modify only files within the configured workspace. The package does not attempt to modify other skills or global agent configuration automatically.