Back to skill
Skillv1.6.0
ClawScan security
PullThatUpJamie · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 7:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (a podcast vector DB + clip generation service) matches its instructions and requirements — it is an instruction-only wrapper around a single external API and does not request unrelated credentials or install code.
- Guidance
- This skill is coherent: it is an instruction-only integration that calls https://pullthatupjamie.ai for podcast search and clip creation. You can use free browsing/search features without supplying any credentials. If you use paid endpoints you will need to pay Lightning invoices and may provide an L402 credential (macaroon:preimage) or a wallet-connect URI — these are sensitive and should be treated like payment tokens. Before enabling paid features: (1) confirm you trust the https://pullthatupjamie.ai domain, (2) avoid pasting wallet seeds or private keys (only use wallet apps to pay invoices), (3) store any returned JAMIE_L402_CREDENTIALs securely, and (4) consider privacy implications since user queries and clip content are sent to the service (clips are cached indefinitely per the docs).
Review Dimensions
- Purpose & Capability
- okName/description, documented endpoints, and provided examples all describe a podcast search/clip-generation service. The optional environment credentials (NWC_CONNECTION_STRING and JAMIE_L402_CREDENTIAL) are directly related to the advertised Lightning-based paid tier and are not required for free reads — nothing requested appears unrelated to the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to call the https://pullthatupjamie.ai API (fetch/curl examples) and to include an L402 Authorization header for paid calls. It does not instruct reading local files, executing shell commands, or accessing other system credentials. Smart Search triage is performed server-side (it mentions using gpt-4o-mini) — be aware user queries will be sent to the service and may be forwarded to third-party LLMs as part of triage, per the documentation.
- Install Mechanism
- okInstruction-only with no install spec and no code artifacts to be executed locally. There is no download/extract, package installation, or binaries required by the skill itself.
- Credentials
- noteNo env vars are required for core (free) functionality. Two optional credentials are documented and their purpose is clear: NWC_CONNECTION_STRING for wallet-connect style invoice payments and JAMIE_L402_CREDENTIAL (macaroon:preimage) for reusing paid credits. These are sensitive values (preimages/macaroons grant payment/authorization) so exercising caution when storing/providing them is warranted, but their presence is proportional to the paid features described.
- Persistence & Privilege
- okalways: false (not force-included). The skill does not request system-level persistence or modify other skills. It only describes HTTP interactions with the remote API and optional wallet/payment flows; no elevated agent privileges are requested.