WaitingForMacGuffin
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a read-only Oscar-market data skill that queries a public website with curl, with a minor scope note because it also declares the local Read tool.
Before installing, be comfortable with the agent making public web requests to waitingformacguffin.com and treat any betting-style analysis as informational rather than guaranteed financial advice. The visible artifacts do not show credential use, persistence, destructive actions, or data exfiltration.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may make web requests to waitingformacguffin.com for Oscar market answers; the declared Read permission is broader than the visible task requires, although no local-file use is instructed.
The skill is allowed to run curl commands, which is central to its public API lookup purpose, but it also declares the Read tool even though the visible instructions do not describe reading local files.
allowed-tools: Bash(curl *), Read
Use the skill for non-sensitive Oscar market queries, and avoid asking it to process local private files unless you intentionally want that.