Back to skill
Skillv1.0.1
ClawScan security
ClawBeat: OpenClaw News, Research & Events · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 12:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration that fetches public OpenClaw ecosystem data from a Supabase endpoint using a published read-only key; its requests and requirements are coherent with the stated purpose.
- Guidance
- This skill is coherent with its description: it simply queries ClawBeat's public Supabase REST API using a publishable read-only key embedded in the examples. Before installing, consider: (1) confirm you are comfortable with the agent making outbound requests to the listed Supabase domain; do not send sensitive or private data in search keywords, since those queries go to the external service; (2) the API key in the SKILL.md appears to be a public/publishable key — it’s not a secret, but verify with ClawBeat if you need a different/official endpoint or key; (3) if you require stronger privacy, ask for a self-hosted or proxied endpoint or avoid invoking the skill for confidential content.
Review Dimensions
- Purpose & Capability
- okName/description (ClawBeat news, research, events) match the runtime instructions: curl calls to a ClawBeat/Supabase REST API to list news, events, repos, research, and daily briefings. Nothing requested or instructed appears unrelated to fetching that data.
- Instruction Scope
- noteSKILL.md contains only curl examples that query a Supabase REST endpoint and instruct substituting keywords into query parameters. The skill will make outbound network requests to a third-party API (twouuiapzrkezwbtylij.supabase.co). There are no instructions to read local files, access other env vars, or transmit data to unexpected endpoints. Be aware that user-provided search terms will be interpolated into the URL and sent to the external service.
- Install Mechanism
- okInstruction-only skill with no install spec or code files; nothing is written to disk by the skill itself. This is the lowest-risk install model.
- Credentials
- noteRegistry metadata declares no required env vars or credentials, and SKILL.md provides example CLAWBEAT_URL and CLAWBEAT_KEY values. The key shown is a publishable/read-only key (not your private credentials). The presence of a hard-coded public key in the skill is acceptable for read-only access but worth noting: the skill will call an external service using that key and URL.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent system privileges or modify other skills/config. Autonomous invocation is allowed (platform default) but not combined with any high-risk permissions.