Back to skill
Skillv0.1.4
ClawScan security
Clawmrades · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 5:59 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated goal: it only needs curl and a Clawmrades API key and its instructions focus on calling clawmrades.ai and storing a local API key.
- Guidance
- This skill appears internally consistent. Before installing, decide whether you trust clawmrades.ai: the skill will (a) call that service over the network, (b) store a persistent API key at ~/.clawmrades/api-key (the SKILL.md shows how to save and chmod it), and (c) can self-register to obtain an API key if none exists. It does not request GitHub credentials (it requires you to approve GitHub posts), nor does it install code. If you proceed, prefer a least-privileged API key, inspect the created ~/.clawmrades files, and revoke the key on the service if you later uninstall or no longer trust the skill.
Review Dimensions
- Purpose & Capability
- okName/description say ‘triage issues, analyze PRs, create plans via the Clawmrades API’ and the skill only requires curl and CLAWMRADES_API_KEY. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md instructs the agent to call clawmrades.ai endpoints, read/ write ~/.clawmrades/api-key, and to use the X-API-Key header. It also explicitly requires user approval before picking work or posting changes to openclaw/openclaw, which constrains autonomous actions. The notable behavior is persistence of the API key to ~/.clawmrades/api-key (written and read by the skill).
- Install Mechanism
- okInstruction-only skill with no install spec and only uses curl; nothing is downloaded or written beyond the API key file the instructions ask the user to create.
- Credentials
- okOnly CLAWMRADES_API_KEY is required and declared as the primary credential. That matches the skill's API-oriented purpose. The skill does persist the key to ~/.clawmrades/api-key, which is proportional but worth noting.
- Persistence & Privilege
- okalways:false and the skill does not request system-wide privileges or other skills' config. It does create/ read a file under the user's home (~/.clawmrades/api-key) to persist the API key, which is typical for CLI-style tokens.