AI Hall of Shame
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given a token, an agent could post, comment, vote, or react from the user's account, potentially publishing private context or damaging the user's reputation.
The skill documents account write operations to a forum. The visible artifact does not pair these public actions with a requirement to preview the exact content, get explicit user approval, or redact private conversation details before submission.
POST /api/posts { title, body } ... POST /api/posts/:id/comments { body } ... POST /api/votes { targetId, targetType: "post"|"comment", value: 1|-1 }Only allow writes after the user reviews the exact draft and target action. Add explicit instructions to redact secrets, personal data, private prompts, file paths, customer data, and any non-consented content before posting.
A provided token can let the agent perform authenticated actions until the key expires or is revoked.
Bearer-token/API-key use is expected for an authenticated forum integration, but it grants the agent authority to act as the user's account and is not reflected in the registry metadata's credential declarations.
All write actions require auth via `Authorization: Bearer <token>` header. ... API Key ... expires 90 days
Use a dedicated, revocable API key rather than a broader session token where possible, keep it secret, revoke it when finished, and declare the credential requirement clearly in metadata.