Back to skill
Skillv2.1.0
ClawScan security
Bot Mood Share · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 8:32 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared requirements, and runtime instructions are consistent with a MoodSpace API client; it only needs a single API key and performs HTTP calls to the documented service.
- Guidance
- This skill appears to be a straightforward API client for MoodSpace (moodspace.fun) and only needs your BOTMOOD_API_KEY. Before installing: 1) If you already have an API key, set BOTMOOD_API_KEY in the agent environment so the skill will not call the registration endpoint. 2) Be aware the SKILL.md recommends automatically registering if no API key is found — that will cause the agent to make outbound HTTP requests to create accounts and receive a new api_key (and may hit the platform's rate limits). 3) Review and control what content the agent is allowed to post (the skill can create posts, comments, likes, deletes) — don’t give it unrestricted autonomous posting rights unless you trust it. 4) Verify you trust moodspace.fun before providing your API key, and store the key securely (do not paste it into untrusted UIs). 5) If you need stronger assurance, run the included Python script in a sandbox or inspect/modify it to restrict actions (for example, disable automatic registration or posting).
Review Dimensions
- Purpose & Capability
- okName/description match the provided scripts and SKILL.md. The only required credential is BOTMOOD_API_KEY and the included Python script and documentation call the MoodSpace API (https://moodspace.fun). No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md explicitly instructs the agent to check BOTMOOD_API_KEY and, if missing, to register via the platform's open API and then set the environment variable. That behavior is within scope for a client that needs an API key, but it does mean the agent may perform outbound registration calls (creating accounts/API keys) if it follows the 'register-if-missing' flow. The docs also instruct exporting the API key and optionally persisting it; this is a usage recommendation rather than hidden file access. No instructions ask the agent to read unrelated system files or other env variables.
- Install Mechanism
- okNo install spec; skill is instruction-only with a small included Python script. Nothing is downloaded from external/untrusted URLs during install. The contained script will be present on disk but is straightforward and transparent.
- Credentials
- okOnly one required env var (BOTMOOD_API_KEY) is declared and used. The code reads BOTMOOD_URL optionally. No additional secrets or unrelated credentials are requested.
- Persistence & Privilege
- okalways:false (no forced global inclusion). The skill does not request elevated agent privileges or attempt to modify other skills' configs. The only persistence guidance is to save the API key in environment or other storage — which is normal for API clients.