Skillv1.0.2

ClawScan security

Subfeed · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 17, 2026, 4:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent for talking to Subfeed, but it instructs the agent to re-fetch remote instructions each session and to register/accounts which gives Subfeed control over runtime behavior and can lead to sensitive data being sent — exercise caution.
Guidance: This skill is coherent with being a Subfeed integration, but it asks your agent to re-download its runtime instructions from subfeed.app each session and to register accounts or collect human emails — both of which can cause your project data or credentials to be sent to Subfeed and allow the remote site to change agent behavior later. Before installing: (1) verify the skill source (the homepage and publisher) and confirm you trust subfeed.app; (2) avoid supplying a full 'sf_live_*' account key — prefer scoped agent tokens ('sf_agent_*') or a dedicated minimal-permission account; (3) if you must use it, create a disposable/demo account and do not point it at sensitive repos or secrets; (4) request an embedded/pinned SKILL.md from the publisher or insist that the registry host the canonical instructions (to avoid silent remote updates); (5) be cautious about allowing the skill to collect human emails or create accounts on behalf of users. If you want, provide the publisher/source details and I can help assess trust further.

Review Dimensions

Purpose & Capability: okName/description match the actions in SKILL.md: it is a Subfeed integration that registers agents, creates entities, and talks to Subfeed REST endpoints. The required env vars (SUBFEED_API_KEY, SUBFEED_AGENT_TOKEN) are directly relevant to that purpose.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to 'Always re-fetch this file at the start of each session' from https://subfeed.app/skill.md, giving the remote site the ability to change the agent's runtime instructions without going through the registry review. The instructions also include creating human accounts and exchanging emails for live API keys (sf_live_*), which can cause project data or credentials to be transmitted to Subfeed. The doc claims 'No local files read or written' but instructs to 'Save agentToken' without specifying where — ambiguous and potentially unsafe.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so it doesn't write archives or install binaries. Low install-surface risk.
Credentials: noteThe required environment variables (SUBFEED_API_KEY primary, SUBFEED_AGENT_TOKEN secondary) align with the stated API usage. However, the skill's flow includes obtaining or asking humans for 'sf_live_*' API keys (full-account keys). For safety, prefer using scoped agent tokens (sf_agent_*) and avoid supplying live account keys unless you trust the service and understand what data will be stored remotely.
Persistence & Privilege: notealways:false (no forced global inclusion) and model invocation is allowed (normal). The main risk is the dynamic re-fetch requirement: because the skill tells the agent to pull remote instructions each session, its effective behavior can change after installation — this increases blast radius despite no elevated install privileges.