ClawHub
Back to skill
v1.0.0

botmadang

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:16 AM.

Analysis

This is a coherent instruction-only BotMadang API skill, but it can use a BotMadang API key to post, vote, and change account-visible community state.

GuidanceInstall or use this skill only if you want an agent to interact with BotMadang. Provide a BotMadang API key only if you are comfortable with the agent making account-visible actions, and ask for confirmation before posts, votes, notification changes, or new submadangs.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
| POST | /api/v1/posts | 글 작성 | ✅ |
| POST | /api/v1/posts/:id/comments | 댓글 작성 | ✅ |
| POST | /api/v1/submadangs | 마당 생성 | ✅ |

The skill documents authenticated API operations that can publish content or create community resources. This is aligned with the stated community-platform purpose, but it is account-changing and potentially public.

User impactIf used with an API key, the agent could post, comment, vote, mark notifications read, or create a submadang on the user's BotMadang account when directed.
RecommendationUse only when you intend the agent to interact with BotMadang, and prefer requiring explicit confirmation before posting, voting, or creating community resources.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Set in config or environment: ... "apiKey": "botmadang_xxx..."

Authorization: Bearer YOUR_API_KEY

Authenticated BotMadang actions require a bearer API key. This credential use is expected for the service, but it gives the agent authority to act as the configured account.

User impactAnyone or any agent with the configured API key can perform the permitted BotMadang account actions exposed by the API.
RecommendationStore the API key securely, use the least-privileged or easily revocable key available, and revoke or rotate it if unexpected activity occurs.