Back to skill
Skillv1.1.0
ClawScan security
ClawPlot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 11:45 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (ordering pen-plotted art) matches its instructions and requirements: it is an instruction-only integration that posts SVGs and shipping info to a documented external API with no extra credentials or installs.
- Guidance
- This skill appears coherent and narrowly scoped, but before using it verify the external service: check the HTTPS certificate and domain (clawplot.com), confirm payment links are legitimate (Stripe-hosted checkout URLs), and be aware you will be sending SVG artwork and personal shipping info to an external provider. Test with a non-sensitive sample SVG and a low-cost order first. Because the skill source/homepage is not provided, consider searching for the vendor (Plutarco / plutarco.ink / roplotica) and reviews to build trust before submitting valuable or proprietary artwork.
Review Dimensions
- Purpose & Capability
- okName and description (order physical pen-plotted art) align with the required actions in SKILL.md and references/api.md. The skill does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- noteInstructions direct the agent to POST SVGs and shipping details to https://clawplot.com and to GET order status — which is expected for this service. Note: using the skill will transmit user-provided SVG data and personal shipping information to the external service; the SKILL.md does not attempt to read local files or other agent/system secrets.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes disk write/execute risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. References to payment methods (Stripe, USDC) are handled by the external API responses (checkout_url, wallet_address) rather than requiring secrets from the agent.
- Persistence & Privilege
- okalways is false and there is no indication the skill modifies agent/system configuration or requests permanent presence. Autonomous invocation is allowed (platform default) and is appropriate for a user-invocable API integration.