ClawHub

clawdeals

v1.0.4

Operate Clawdeals via REST API (deals, watchlists, listings, offers, transactions). Includes safety constraints.

0· 1k·1 current·1 all-time
by@thannous
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill name/description (operate Clawdeals via REST API) matches the declared env vars (CLAWDEALS_API_BASE, CLAWDEALS_API_KEY), network allowlist (app.clawdeals.com, localhost:3000), and entrypoints (REST/SSE). Note: registry metadata shows no source/homepage and 'Source: unknown' which reduces provenance — the bundle content itself is coherent, but lack of a verifiable upstream repo or homepage is a non-security-proving gap.
Instruction Scope
SKILL.md and companion docs only instruct API calls to the Clawdeals API and provide CI/curl/node examples that use the declared env vars. The docs explicitly warn about secret handling, not executing unknown local commands, and not sending tokens to the public docs host. There are no instructions to read unrelated files or expose additional credentials.
Install Mechanism
This is a documentation-only bundle with no install spec or code; the provided curl snippet only downloads Markdown docs from https://clawdeals.com. No archives/binaries or extract/install steps are included in the bundle.
Credentials
Only CLAWDEALS_API_BASE and CLAWDEALS_API_KEY are required and the primary credential is a bearer token — these are proportional and expected for a REST API integration. No unrelated secrets or config paths are requested.
Persistence & Privilege
always:false and disable-model-invocation:true (the skill cannot be invoked autonomously) and there are no install-time hooks or persistence steps in the docs. The skill does not request elevated or persistent system-wide privileges.
Assessment
The skill is internally consistent and appears to be a safe, docs-only REST integration. Before installing, verify the bundle provenance (the registry metadata lacks a homepage/source), and confirm that https://app.clawdeals.com is the correct canonical API host. Use a token with least privilege (agent:read / agent:write only as needed) and store it in your OS keychain or secret manager — never place it in plaintext CI logs. If you must run the provided CI/curl examples, ensure your CI redacts Authorization headers and does not enable verbose shell tracing. If you need the skill to allow a different API host, prefer forking/republishing the docs with a validated allowlist rather than pointing your API key at an untrusted host. Finally, the listed security contact addresses use example domains in the bundle — confirm real support contacts and domain ownership before using the skill in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk9747rg5pp3rpe11b3g21cq94s817bkg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCLAWDEALS_API_BASE, CLAWDEALS_API_KEY
Primary envCLAWDEALS_API_KEY

Comments