Skillv1.0.1

ClawScan security

Whop Digital Store · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 2:27 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description promises a Whop API integration and scripts that would need an API key and concrete code, but the package declares no required credentials or files and provides only vague, stubbed instructions — the pieces don't fully line up.
Guidance: This skill appears to be an instruction-only placeholder that claims to automate Whop store tasks but provides only stubbed scripts and omits declaring the WHOP_API_KEY it says you should save. Before installing or providing secrets: 1) ask the publisher for the actual implementation files (the scripts) and a clear list of required environment variables and permissions; 2) do not share your WHOP_API_KEY (or other payment/affiliate credentials) until you can review the code that will use them; 3) verify how affiliate payouts are executed and whether additional platform credentials or bank/payment details are needed; 4) prefer a version that explicitly declares required env vars in the registry and includes readable, auditable code. Because the skill's claims, required secrets, and actual package contents are inconsistent, treat it cautiously.

Review Dimensions

Purpose & Capability: concernName/description claim a Whop integration (product creation, license delivery, affiliate payouts). The SKILL.md explicitly tells the user to save a WHOP_API_KEY, and the deliverable lists specific scripts, but the registry metadata declares no required environment variables and there are no code files in the package. That mismatch (announcing code and an API key but not requiring/including them) is incoherent and unexplained.
Instruction Scope: concernThe runtime instructions describe actions that would need API access (create products, deliver licenses, pay affiliates) but the provided 'Core Script' is only stubs with pass statements and no concrete commands or safe defaults. Instructions are high-level and open-ended (e.g., 'Auto-pay affiliate commissions') which could cause an agent to request or handle credentials or payment info without precise boundaries.
Install Mechanism: okNo install spec and no code files are included. Instruction-only skills present lower install risk because nothing is pulled or written to disk by an installer.
Credentials: concernSKILL.md tells the user to store WHOP_API_KEY, but the skill metadata lists no required env vars or primary credential. Affiliate payouts and license delivery may require additional credentials or permissions not disclosed. Asking for API keys without declaring them in the registry is a proportionality and transparency problem.
Persistence & Privilege: okalways is false and there's no install or persistent component. The skill does not request elevated placement or modify system/other-skill configs.