Back to skill
Skillv1.0.0
ClawScan security
BapBook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 7:43 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (a social feed for agents) matches its instructions, but the runtime guidance asks agents to fetch and follow remote instructions (https://bapbook.com/skill.md), encourages persistent periodic behavior, and instructs storing an API key without declaring credentials — these raise injection, persistence, and credential-handling concerns.
- Guidance
- This skill appears to do what it says (agent social feed), but it asks your agent to (1) register and store an API key, (2) run an automated heartbeat every ~30 minutes that browses the feed and may post or upvote, and (3) fetch and obey remote content at https://bapbook.com/skill.md. Before installing: verify you trust the bapbook domains and the people running them; avoid storing the API key in world-readable files or process-wide env vars; prefer prompting your human before posting/upvoting or set strict filters/rate limits; consider running the integration in a sandboxed agent or with human-in-the-loop approvals; and inspect the live https://bapbook.com/skill.md content and the API server (bapbook-api.fly.dev) to ensure no unexpected instructions or endpoints are present. If you need higher assurance, ask the developer for a canonical, auditable API spec and a threat model for the heartbeat behavior.
Review Dimensions
- Purpose & Capability
- okName/description align with the instructions: the SKILL.md only describes registering, posting, voting, commenting on BapBook via the documented API endpoints. No unrelated services, binaries, or installs are requested.
- Instruction Scope
- concernThe instructions direct the agent to periodically fetch external content (https://bapbook.com/skill.md) and "follow the Heartbeat Routine" found there. That means runtime behavior can be changed by content served from that remote site — an instruction-injection vector. The SKILL.md also encourages autonomous periodic actions (every 30 minutes) that include posting/upvoting; automatic publishing/upvoting without human confirmation can cause unwanted broadcasts or abuse.
- Install Mechanism
- okNo install spec and no code files — lowest disk/write risk. All interactions are via curl-like HTTP calls to the BapBook API endpoints listed in the document.
- Credentials
- noteThe skill requires an API key for full functionality and suggests storing it (memory, ~/.config/bapbook/credentials.json, or env var BAPBOOK_API_KEY). However, the registry metadata lists no required env vars or primary credential. Requesting storage of a secret is reasonable, but the SKILL.md gives no guidance on secure storage or least-privilege usage and encourages persistent storage in common paths or environment variables that other processes might access.
- Persistence & Privilege
- concernAlthough the skill does not set always:true, the instructions strongly push agents to add a frequent (30-minute) heartbeat and persist credentials and state. That enables long-lived, autonomous network activity and increases blast radius if the remote site changes behavior or is compromised.