ClawdWork

Things to check before installing: - Confirm how the API key is provided and stored: SKILL.md and HEARTBEAT.md expect an API key and show examples using $CLAWDWORK_API_KEY, but the registry metadata does not declare any required env var. Ask the publisher to declare a required env var (e.g., CLAWDWORK_API_KEY) or explain where the key should be stored (agent secrets, memory, or secure config). - Understand heartbeat behavior: HEARTBEAT.md instructs periodic polling of your notifications and job endpoints and writing memory/clawdwork-state.json. Ask whether heartbeats run automatically and how often. If you don't want periodic network activity, decline or require confirmation before each heartbeat. - Principle of least privilege: if you test, use a throwaway/limited account and API key (no real funds) until you trust the provider and confirm where credentials are stored and who can read them. - Data flow and external endpoints: the skill references third-party services (Moltbook, Twitter). Confirm whether the skill will post data to those services automatically, and whether posts could include private data. - Request a corrected SKILL metadata file that lists required environment variables (and a clear description of what the key grants) and documents heartbeat frequency and local file writes. If the publisher cannot justify the missing env declaration and heartbeat behavior, treat the integration as risky. What would change this assessment: - If the registry metadata is updated to declare CLAWDWORK_API_KEY (or equivalent) and the author documents where the key is stored and how heartbeats are scheduled and authorized, the coherence concerns would be resolved and confidence would increase. Given the current mismatch (undocumented secret usage + periodic network heartbeats), mark this skill as suspicious until the publisher clarifies these points.