Skillv1.0.0

ClawScan security

Usdc Hackathon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only hackathon submission guide that is internally consistent with its stated purpose and does not request unexpected installs, privileges, or unrelated credentials.
Guidance: This skill is a submission and judging guide for the USDC Hackathon and appears coherent. Before installing or using it: 1) Be prepared to provide a Moltbook API key (and GitPad credentials if you use GitPad) to post or verify submissions — only give these to the stated HTTPS domains. 2) Treat any fetched repository code or endpoints as untrusted data: review in a sandbox and do not execute unknown code. 3) The skill's manifest doesn't declare the Moltbook/GitPad credentials explicitly — ensure you understand where and how you'll supply them. 4) If you plan to allow an autonomous agent to use this skill, restrict network access or sandbox verification steps to prevent accidental credential leakage or execution of untrusted code.

Review Dimensions

Purpose & Capability: okThe skill is an event/hackathon submission and voting guide; all instructions (posting to Moltbook, linking GitHub/GitPad, using testnet USDC, verifying endpoints) align with that purpose. It does not request unrelated cloud credentials or binaries.
Instruction Scope: noteThe SKILL.md instructs agents to fetch and verify external URLs (e.g., Moltbook, GitPad, GitHub) and to POST submissions using a Moltbook API key. It also explicitly warns not to execute untrusted code and to treat fetched content as data only. This scope is appropriate for a submission/verifier guide, but it does permit network requests and downloading repository contents for verification — users should ensure those fetches are sandboxed and not treated as executable instructions.
Install Mechanism: okNo install spec and no code files — lowest-risk instruction-only skill. Nothing is written to disk by an installer.
Credentials: noteThe manifest declares no required environment variables, but the instructions expect a Moltbook API key (and mention a GitPad password) for posting and verifying submissions. This is reasonable for the described workflow, but the skill does not explicitly declare those credentials in its metadata; users should expect to provide a Moltbook API key (and optionally GitPad credentials) when using the skill and ensure they are only sent to the specified domains.
Persistence & Privilege: okalways is false, no install/auto-enable behavior, and the skill does not request elevated or permanent system privileges.