Skillv1.2.0

ClawScan security

Vision Bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 18, 2026, 4:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (image OCR/object detection) matches the runtime instructions, but it requires a spend token and sends image data to an external orchestration endpoint (aiprox.dev); a few unexplained details (e.g., a 'bitcoin-lightning' rail parameter and unverifiable trust claims) make the configuration worth caution before installing.
Guidance: This skill sends your image URLs or base64 image data and a secret 'spend token' to aiprox.dev for processing. Before installing, verify you trust aiprox.dev (review their privacy/billing policy and the homepage), and ask the publisher why the example includes 'rail': 'bitcoin-lightning' (it could indicate an unusual billing path). Prefer issuing a revocable or limited-scope token for testing, and try only non-sensitive images first. If you need guarantees that images aren't stored or aren't routed through other services, request proof or choose a provider with clear audited policies. If anything about the owner/homepage looks unfamiliar, treat the token like a password and avoid sharing sensitive images until you validate the service.

Review Dimensions

Purpose & Capability: noteThe name/description (image description, OCR, object detection) aligns with the skill's single runtime action: POSTing tasks and image URLs/base64 to aiprox.dev for processing. Requesting a single spend token for a third-party API is plausible. However, the example includes a 'rail': 'bitcoin-lightning' parameter which is unrelated to image analysis and is unexplained in the manifest — this is unusual and should be clarified.
Instruction Scope: concernSKILL.md instructs the agent to send task text and image data (URL or base64) plus the spend token to https://aiprox.dev/api/orchestrate. That means potentially sensitive images and any task context will be transmitted off-host. The trust statement claims images are transient and not stored and that processing uses 'Claude via LightningProx' — those are assertions the agent cannot verify from an instruction-only skill. The instructions do not read any local files or unrelated env vars, which is good, but they do enable exfiltration of user-supplied images and text to a third party.
Install Mechanism: okThere is no install spec and no code files — instruction-only skills are lower-risk from an install perspective (nothing is written to disk).
Credentials: concernThe skill requests a single environment variable, AIPROX_SPEND_TOKEN, which is proportionate for an external paid API. However, the token is sent in the JSON body as 'spend_token', meaning it will be transmitted to a third party and used for billing. Users should treat this token as a secret (revokable, limited-scope tokens are preferable). No other credentials are requested (which is good).
Persistence & Privilege: okThe skill does not request always:true or any persistent system changes. It is user-invocable and can be invoked autonomously by the agent (platform default), which is expected for skills of this type.