Back to skill
Skillv1.1.1
ClawScan security
PostQube Threads Publisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 12:23 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, required API key, and curl-based instructions align with a simple PostQube Threads publishing tool and do not request unrelated access.
- Guidance
- This skill appears coherent and low-risk, but before installing: verify the PostQube service and domain are legitimate; use a dedicated API key with minimal scope; never paste the API key into messages; confirm each post before the skill sends it (the SKILL.md also recommends this); monitor posted content and API usage/quota; and be aware the agent can invoke the skill when asked (autonomous invocation is platform-default). If you want extra safety, create a restricted API key and limit the agent's ability to run skills automatically.
Review Dimensions
- Purpose & Capability
- okThe name/description (posting to Threads via PostQube) matches the declared requirements: a single POSTQUBE_API_KEY and curl. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md tells the agent to validate the POSTQUBE_API_KEY, confirm with the user, and call PostQube endpoints (postqube.quickbitsoftware.com) with curl. It does not instruct reading other files, scanning the system, or sending data to unrelated endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code to write to disk. It only requires curl to be present, which is proportionate for making HTTP requests.
- Credentials
- okOnly one environment variable is required (POSTQUBE_API_KEY) and it is declared as the primary credential. That aligns with the API usage described in the instructions.
- Persistence & Privilege
- okThe skill is not always-on (always: false) and does not request system-wide persistence or modify other skills. It can be invoked autonomously per platform defaults, which is expected for a callable skill.