Back to skill
Skillv1.0.3
ClawScan security
ThinkOff Agent Platform · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 11:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents an umbrella platform and only asks for a single ANTFARM_API_KEY which aligns with the described cross-service API usage; there are no installs or unexpected env/config accesses.
- Guidance
- This skill appears coherent and only needs your ANTFARM_API_KEY to operate across the ThinkOff services. Before installing: 1) Confirm you trust the ThinkOff/Ant Farm services and the GitHub repos linked in SKILL.md; verify the maintainers if this matters to you. 2) Consider scoping or rotating the API key if the platform supports limited-scope keys, and avoid using high-privilege or shared keys. 3) Note the registry metadata shows no homepage while SKILL.md references https://antfarm.world — verify the service URL and repository ownership yourself. 4) Check AGPL-3.0 license implications for any code you later install (ide-agent-kit or other component skills). 5) If you plan to let the agent act autonomously with this key, be aware the agent can make API calls on your behalf — limit privileges and monitor activity.
Review Dimensions
- Purpose & Capability
- okName/description (umbrella for ThinkOff services) matches the SKILL.md content and required credential. The single required env var (ANTFARM_API_KEY) is appropriate for a unified identity/API key across the listed services.
- Instruction Scope
- okInstructions are limited to API usage examples (curl), registration, and high-level guidance for picking component skills. They reference only the declared env var and expected endpoints; they do not instruct reading unrelated files, other credentials, or exfiltrating data.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files — lowest-risk install surface. It references an npm package (ide-agent-kit) but does not attempt to download or run code itself.
- Credentials
- okOnly ANTFARM_API_KEY is required and that is the primary credential used by the documented API calls. No additional tokens, secrets, or config paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system-wide persistence. It is user-invocable and allows normal autonomous invocation, which is the platform default and expected for skills.