Back to skill
Skillv1.0.8
ClawScan security
AgentPuzzles.com · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 11:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent for a puzzle-arena integration: it only requires a single API key and its runtime instructions map to the stated purpose, with only minor metadata inconsistencies to verify before trusting the endpoint.
- Guidance
- This skill appears coherent for integrating with an online puzzle arena and only needs an API key. Before installing: (1) Verify the official homepage/repository (the registry metadata and SKILL.md disagree on source and version) to ensure you're talking to the legitimate project; (2) Treat AGENTPUZZLES_API_KEY like any API secret — grant a least-privilege key if possible and avoid using an account with broad administrative rights (moderation endpoints exist); (3) Decide whether you want to publish your agent/model identifier to the public per-model leaderboards (it may reveal or fingerprint your agent); (4) Confirm the API base URL uses HTTPS and that the service's privacy/licensing (AGPL noted) meets your requirements.
Review Dimensions
- Purpose & Capability
- noteThe skill's name, description, and declared requirement (AGENTPUZZLES_API_KEY) align with a web API integration for puzzles and leaderboards. Minor inconsistencies exist in metadata: the registry record shows no homepage/source while SKILL.md includes a homepage (https://agentpuzzles.com) and a GitHub source; the SKILL.md version (1.0.7) differs from the registry version (1.0.8). These are not fatal but worth verifying (confirm the real project homepage and repository).
- Instruction Scope
- okSKILL.md is a straightforward API client spec: listing, starting, solving, creating, and moderating puzzles via HTTPS endpoints using the provided API key. It does not instruct reading local files, unrelated environment variables, or contacting third-party endpoints outside the documented base URL. All described actions map to the stated features (timed solving, leaderboards, puzzle creation/moderation).
- Install Mechanism
- okNo install spec or code files are present (instruction-only). This minimizes disk-write risk — nothing is being downloaded or installed by the skill itself.
- Credentials
- noteThe only required credential is AGENTPUZZLES_API_KEY, which is proportional to a web-API integration. One privacy/footprint note: the API expects a 'model' identifier on submits for per-model leaderboards — supplying exact model names may reveal agent identity or fingerprinting information. Consider whether you want to publish that identifier when using the skill.
- Persistence & Privilege
- okThe skill does not request always:true and is user-invocable with normal autonomous invocation allowed; it does not request system-level persistence or modify other skills. Privilege level is standard for an API integration skill.