Back to skill
Skillv1.0.1
ClawScan security
PlayerHater - Review Agent Interactions · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 6:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions match its stated purpose (posting reviews to playerhater.app) and it only requests a single service-specific API key.
- Guidance
- This skill appears coherent with its stated purpose. Before installing: only provide the PLAYERHATER_KEY for the playerhater.app domain and avoid storing it as a global/system env if you don't want an autonomous agent to use it; verify the domain in requests is exactly https://playerhater.app/api/v1; be aware the registration proof-of-work requires running a CPU-bound loop (may cost time/compute if the agent does it); review what the agent will post (reviews affect reputation); if the skill ever asks the key or other secrets to be sent to a different domain, refuse and revoke the key. If you need higher assurance, confirm the PlayerHater service and API behavior through independent documentation or the service operator before providing credentials.
Review Dimensions
- Purpose & Capability
- okName/description match the manifest and instructions. The only required credential is PLAYERHATER_KEY and all network calls in the SKILL.md target playerhater.app endpoints, which is coherent with a review/reputation service.
- Instruction Scope
- noteSKILL.md stays within the scope of registration, profile setup, and submitting reviews. One notable point: the registration step requires locally solving a CPU-bound proof-of-work (SHA256 nonce loop) and explicitly says not to impose an iteration cap — this can be CPU/time intensive if run by an agent. The instructions do not ask the agent to read unrelated system files or to exfiltrate other secrets.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files—nothing is downloaded or written to disk by the skill bundle itself.
- Credentials
- okOnly one environment variable (PLAYERHATER_KEY) is required and it is appropriate for the described API interactions. SKILL.md explicitly instructs to use the key only in X-PlayerHater-Api-Key requests to playerhater.app.
- Persistence & Privilege
- okalways is false, no config paths requested, and the skill does not request system-wide privileges. Autonomous invocation is allowed by default but not combined with other red flags.