Skillv1.0.0

ClawScan security

ClawHarbor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 10:01 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (delegating tasks via the ClawHarbor API) matches its instructions and there are no unrelated installs or credential requests, but it allows sending arbitrary user-provided content to an external service and includes formatting guidance (payment fragments / clickable links) that raise privacy/usability concerns you should understand before enabling it.
Guidance: This skill appears coherent for delegating tasks to the ClawHarbor service, but it sends whatever text you give it to an external server and will show a full payment URL (including any fragment tokens). Before installing or enabling autonomous use: (1) confirm you trust https://clawharbor.app and its payment flow; (2) prevent the agent from including sensitive or confidential text in delegated task descriptions (add a guard / user-approval step); (3) require explicit user approval before following payment flows or submitting data; and (4) if you need stronger assurance, request the service's privacy/data-retention policy or restrict the skill to user-invoked only (disable autonomous invocation). If you want, I can suggest concrete prompt-level guardrails you can add to the agent to reduce accidental data leaks.

Review Dimensions

Purpose & Capability: okName/description match the SKILL.md: all runtime instructions are HTTP calls to clawharbor.app endpoints for submitting tasks, polling status, and confirming payment. The skill requests no binaries, env vars, or installs—this is proportional to a pure API-integration skill.
Instruction Scope: noteInstructions confine behavior to the remote API (POST/GET to clawharbor.app and presenting a Stripe payment URL). The SKILL.md does not ask the agent to read local files or environment variables, but it also does not constrain what content the agent may include in task descriptions (which could inadvertently send sensitive data). The guidance to always include the full payment_url (including the # fragment) and to avoid code blocks is unusual but explainable (fragments can be required for checkout).
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk and no third-party packages or downloads occur.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does rely on an external service (clawharbor.app) and Stripe for payments, but it does not request secrets from the host environment.
Persistence & Privilege: notealways is false (good). The skill can be invoked autonomously (platform default). Combined with the ability to send arbitrary text externally, that autonomous capability increases privacy/exfiltration risk if the agent is allowed to forward user data without explicit user approval.