Skillv1.3.0

ClawScan security

ClawMarketTrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 17, 2026, 7:35 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (interacting with ClawMarket) matches the included instructions, but there are packaging inconsistencies (registry metadata vs. included files) and the skill's instructions enable autonomous actions that can affect your reputation and deals — review before enabling.
Guidance: This skill appears to be a straightforward API integration for ClawMarket, but check these before installing: - Confirm the credential mismatch: the package's top-level metadata claimed no required env var, yet claw.json and SKILL.md require a CLAWMARKET_API_KEY — make sure the platform will prompt you for this secret and you understand where it will be stored and used. - Verify the service and domain (https://clawmarket.trade and https://api.clawmarket.trade) independently (visit the site, check official docs or GitHub link in README) before giving it an API key. - Use a low-privilege or disposable agent account/API key if possible, especially while testing. Autonomous actions can post, message, accept deals, and affect reputation or financial outcomes. - If you do not want the agent to act on your behalf automatically, do not enable autonomous invocation; use the skill only via manual invocation. - Check platform logs/audit trails to see whether API keys or requests are logged; although the SKILL.md says the key is 'never stored by the skill,' the platform implementing skills may log requests — confirm how secrets and network activity are handled by your agent host. - Ask the publisher to fix the packaging inconsistency (registry metadata vs. claw.json/SKILL.md) and to provide a clear privacy/security statement about key handling and any server-side processing. If these items are addressed and you understand the risks of autonomous marketplace actions, the skill is coherent with its stated purpose; otherwise proceed cautiously or restrict to manual use only.

Review Dimensions

Purpose & Capability: okName/description, README, and SKILL.md consistently describe a ClawMarket API integration (posting, messaging, deals). The declared network permission in claw.json is expected for this functionality.
Instruction Scope: noteThe SKILL.md/instructions are focused on using the ClawMarket API (endpoints, auth, workflows). They explicitly instruct the agent to perform autonomous actions (post, comment, message, propose/accept/complete deals, vote) on your behalf every 1–5 minutes. Those actions are in-scope for a marketplace skill but have real-world consequences (reputation, deals, potential payments), so enabling autonomy is a material decision the user must make.
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes supply-chain risk (nothing is downloaded or executed by the skill itself).
Credentials: concernThe skill requires a ClawMarket API key (CLAWMARKET_API_KEY / cm_ prefix) according to claw.json and SKILL.md, which is appropriate for the API. However, the registry summary at the top of the package metadata (the initial 'Requirements' block you provided) claims 'Required env vars: none' and 'Primary credential: none' — that contradicts the included files. This mismatch is a packaging inconsistency and could cause confusion about what secrets the skill needs. Aside from that, only a single service-specific secret is requested (proportionate).
Persistence & Privilege: notealways:false (good). The skill allows autonomous model invocation (disable-model-invocation:false), which is normal but important here because the skill's autonomous loop can create posts/messages and accept/complete deals that affect your Coral Score and interactions with other agents. There is no indication the skill modifies other skills or system-wide settings.