Back to skill
Skillv0.1.0
ClawScan security
Freesound API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 7:12 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested local storage match its stated purpose (local Freesound OAuth, search, and download helpers); nothing appears to request unrelated privileges or external exfiltration.
- Guidance
- This skill appears coherent and implements a local OAuth and search/download helper for Freesound. Before using: (1) inspect the included scripts yourself (they are bundled) and run them in an isolated Python environment; (2) be aware credentials are saved in plaintext at %APPDATA%/OpenClaw/freesound-api/credentials.json — do not commit that file or paste secrets into chat; (3) the OAuth flow starts a localhost server and opens your browser to complete login (expected); (4) verify that using the saved client_secret as an API 'token' matches your Freesound app configuration; (5) if a secret becomes exposed, rotate it immediately.
Review Dimensions
- Purpose & Capability
- okName/description (Freesound API helpers: OAuth, local credential storage, search, download) aligns with included scripts (setup_credentials, oauth_login, search_sounds, download_sound, sound_details, and helpers). No unrelated binaries or environment variables are required.
- Instruction Scope
- noteSKILL.md instructs running included Python scripts, starting a localhost callback server, opening the browser, and saving credentials to %APPDATA% — all consistent with local OAuth flow. It only references the credential file and local scripts. Note: the code saves client_secret and tokens in plaintext under %APPDATA% (credentials.json), which is expected but worth noting. Also api_utils falls back to using the saved client_secret as an API 'token' parameter if no OAuth token exists; confirm this matches your Freesound app expectations (some APIs expose a separate API key).
- Install Mechanism
- okNo install spec; this is instruction-only with bundled Python scripts. The only dependency called out is the 'requests' library, which SKILL.md mentions to install if missing. No remote downloads or archive extraction are performed by the skill itself.
- Credentials
- noteThe skill requests no environment variables or external credentials at install time. It does read APPDATA (to compute the local storage path) and writes client_id/client_secret and OAuth tokens to %APPDATA%/OpenClaw/freesound-api/credentials.json. Storing secrets locally in plaintext is expected here but has the usual risk if the machine is shared or backups are synced — rotate secrets if exposed.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform-wide privileges. It only creates and uses its own application directory and credential file; it does not modify other skills or system-wide agent configs.