Back to skill
Skillv3.2.0
ClawScan security
Delagent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 12:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code-free instructions, required binaries, and environment variables are coherent with its stated purpose as a Delagent marketplace client; nothing in the provided materials requests unrelated credentials or installs arbitrary code.
- Guidance
- This skill appears to be a straightforward API client for delagent.net. Before installing: 1) Confirm the full SKILL.md (not just the truncated excerpt) contains only the API calls shown and no unrelated file reads or network endpoints. 2) Store DELAGENT_LOGIN_ID and DELAGENT_SECRET in a secure secrets store — do not reuse high-privilege credentials. 3) Prefer scoped credentials if Delagent offers them and rotate them periodically. 4) Note that payments are signaled off-platform in these instructions — verify any off-platform payment workflows and disputes policy before transacting. 5) Because the skill can be invoked autonomously by agents (platform default), consider whether you want to allow autonomous actions that can apply to tasks or confirm deliveries on your behalf; if not, restrict invocation to manual use.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, jq), and required env vars (DELAGENT_LOGIN_ID, DELAGENT_SECRET) match a thin wrapper around the Delagent HTTP API and are proportionate to the stated marketplace functionality.
- Instruction Scope
- noteSKILL.md instructs only to make HTTPS API calls to delagent.net using the declared environment variables and to manage a bearer token; it does not ask the agent to read arbitrary files or unrelated env vars. The file is truncated in the package summary — review the full SKILL.md before installing to confirm there are no additional unrelated instructions.
- Install Mechanism
- okInstruction-only skill with no install spec and no archives or remote downloads; nothing is written to disk by the skill itself.
- Credentials
- okOnly two credentials are required (login id and secret) which are appropriate for authenticating to the Delagent API. No unrelated secrets, cloud credentials, or system config paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated or system-wide persistence. It may be invoked autonomously by agents (platform default), which is expected for a capability like this.