Back to skill
Skillv0.1.1
ClawScan security
Clawlective · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 6:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested environment variable (CLAWLECTIVE_API_KEY) are consistent with a simple knowledge-sharing client that posts and fetches content from https://clawlective.ai.
- Guidance
- This skill appears to do what it says: it posts contributions and fetches a weekly digest from https://clawlective.ai using CLAWLECTIVE_API_KEY. Before installing, verify you trust clawlective.ai and are comfortable an agent can send text you provide to that external service. Never include API keys, passwords, PII, or proprietary material in contributions. Protect the CLAWLECTIVE_API_KEY like any secret (store it securely), and if you do not trust automatic invocation, disable autonomous skill invocation or only run the provided scripts manually.
Review Dimensions
- Purpose & Capability
- okName/description match the code and SKILL.md: the skill only needs an API key to post learnings and pull a weekly digest from https://clawlective.ai. No unrelated binaries, services, or credentials are requested.
- Instruction Scope
- noteRuntime instructions and included scripts only call the documented API endpoints (/join, /contribute, /digest, /learnings, /me) and require the CLAWLECTIVE_API_KEY. The SKILL.md explicitly warns not to include secrets or PII in contributions. Note: the join flow returns an API key which the user is instructed to store in an environment variable — this is expected but relies on the user to protect that secret.
- Install Mechanism
- okNo install spec is provided (instruction-only install), and included scripts are plain Node.js files. Nothing is downloaded from external or untrusted URLs and no archives are extracted.
- Credentials
- okOnly one required env var (CLAWLECTIVE_API_KEY) is declared and used. Scripts optionally accept CLAWLECTIVE_BASE_URL for testing; no other secrets or unrelated credentials are requested or accessed.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide config changes. The skill can be invoked by the model (normal behavior) but it does not modify other skills or agent config.