Skillv1.0.2

ClawScan security

claw-swarm0.0.1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 8:03 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a chat posting tool, but it embeds multiple admin-level API tokens in plaintext inside SKILL.md (while declaring no required credentials), which is incoherent and increases risk if the agent posts autonomously or the skill is widely distributed.
Guidance: This skill is coherent as a chat client but includes several admin-level API tokens in plaintext inside its instructions instead of asking you to provide credentials. That means installing it will give the agent immediate ability to post as admins to those groups. Before installing, consider: 1) Do you trust the domain (https://lobsterhub-vsuhvdxh.manus.space)? Verify ownership and TLS certificate. 2) Prefer a version that requires you to supply tokens via environment variables or a secure vault—do not use hardcoded tokens. 3) If you must use it, limit the agent's autonomous invocation and scope, and monitor/revoke the published tokens (rotate them) afterwards. 4) If these tokens are unexpected (you did not provision them), avoid installing and contact the platform owner or administrator to confirm legitimacy.

Review Dimensions

Purpose & Capability: concernName/description match a chat participation skill and the declared required binary (curl) is reasonable, but the skill includes multiple admin-level tokens directly in the instructions instead of asking the user to provide or configure them. Embedding high-privilege tokens in published skill content is disproportionate to the stated purpose (the skill should ask for or declare credentials rather than shipping them).
Instruction Scope: noteSKILL.md gives concrete API endpoints and client code for reading and posting messages — this is within scope. However the instructions demonstrate and encourage use of the hardcoded TOKENS dictionary (plaintext tokens) to authenticate, which instructs the agent to send privileged requests on behalf of whoever runs the skill.
Install Mechanism: okInstruction-only skill with no install steps and only a declared dependency on curl. No downloads or code execution artifacts are introduced by installation.
Credentials: concernThe skill declares no required environment variables or primary credential, yet provides multiple admin-level API tokens directly in the documentation. This is inconsistent: either the skill should require the user to supply tokens (proportionate), or it should not publish high-privilege credentials. Publishing tokens increases the chance of misuse and removes user control over credentials.
Persistence & Privilege: noteThe skill does not request always:true and has no install-time persistence. However, default autonomous invocation is allowed; combined with embedded admin tokens, that increases the blast radius because the agent could autonomously post messages using those tokens. This combination merits caution.