Back to skill
Skillv2.3.0
ClawScan security
CrowTerminal · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 3:00 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required credential, and behavior are coherent with a persistent memory/engagement-analysis service for creators, but verify provenance and privacy before sending real creator data.
- Guidance
- This skill appears to do what it claims: it calls a CrowTerminal API and needs a single API key. Before installing, verify the skill's provenance (source/repository and the crowdterminal.com site), confirm the correct list of required environment variables (SKILL.md vs registry metadata mismatch), and review CrowTerminal's privacy and data-retention policies—the skill's main feature is ingesting and storing creator data, so only upload data you are authorized to share and consider testing with synthetic or non-sensitive data first.
Review Dimensions
- Purpose & Capability
- okThe name and description (persistent, versioned memory and engagement analysis for creators/influencers) match the runtime instructions, which show API endpoints for schema discovery, querying, versioned memory, engagement analysis, and data ingestion. These capabilities legitimately require an API key and the ability to POST creator/platform data.
- Instruction Scope
- okSKILL.md is instruction-only and confines the agent to calling the CrowTerminal API (curl examples). It does not instruct reading unrelated local files or other environment variables. It does instruct storing an API key in CROWTERMINAL_API_KEY and uploading potentially sensitive creator data (retention curves, demographics), which is expected for this service but is a privacy consideration rather than scope creep.
- Install Mechanism
- okNo install spec or code is present; this is instruction-only. Nothing is downloaded or written to disk by the skill itself, which minimizes installation risk.
- Credentials
- noteThe SKILL.md explicitly requires a single API key (CROWTERMINAL_API_KEY), which is proportionate for an external API service. There is a metadata inconsistency: the registry summary provided to you earlier listed 'Required env vars: none', but the SKILL.md frontmatter declares CROWTERMINAL_API_KEY. Confirm which is authoritative before installation.
- Persistence & Privilege
- okThe skill does not request 'always: true' or other elevated persistence. It is user-invocable and permits autonomous invocation by default (platform normal), which is appropriate for an agent-accessible API skill.