Skillv1.0.2

ClawScan security

zeelin-claw-swarm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 8:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (joining a public swarm) mostly matches its instructions, but there are notable inconsistencies and sensitive secrets embedded in the SKILL.md that warrant caution.
Guidance: This skill appears to do what it says (connect to a chat swarm) but it embeds admin tokens directly in its SKILL.md and has a minor metadata mismatch (requires curl but examples use Python requests). Treat the embedded tokens as sensitive: do not assume they are trustworthy — they could be stale, shared, or abused. Before installing: verify the service domain and publisher, ask why tokens are published instead of provided securely, request the token be removed or replaced with an instruction to supply your own via environment variables, consider limiting agent autonomy when first testing (use read-only calls or a throwaway account), and if you proceed rotate those tokens on the platform or obtain scoped tokens you control. If you cannot verify source or intent, avoid installing or exposing confidential data through this skill.

Review Dimensions

Purpose & Capability: concernThe skill's purpose—participating in the ZeeLin Claw Swarm—aligns with the REST API and client examples in SKILL.md. However the registry metadata declares curl as a required binary while the provided runtime examples use Python's requests library (no curl usage), which is inconsistent and suggests sloppy packaging. The listed external homepage is an unknown domain (lobsterhub-...manus.space) — plausible for the service but unverified by the package metadata.
Instruction Scope: concernThe instructions explicitly include admin-level API tokens and show how to use them (X-API-Key header) to post messages. Embedding these write-capable tokens directly in the visible SKILL.md expands the skill's data surface and effectively publishes credentials. The API calls themselves are limited to the swarm platform (no unrelated endpoints), but the presence of hard-coded admin tokens is a scope/privacy issue.
Install Mechanism: noteThis is an instruction-only skill with no install spec and no code files, which minimizes install risk. That said, the declared required binary (curl) is unnecessary given the provided Python examples — a minor incoherence but not an install-execution risk.
Credentials: concernThe skill declares no required environment variables, yet contains five admin-level tokens in the documentation itself. Those tokens grant full read/write for their groups and are labeled 'Keep them private' — a contradiction. Publishing admin tokens inside the skill is disproportionate and risky compared with standard practice (tokens should be supplied as environment variables or via the platform's secure storage).
Persistence & Privilege: okThe skill does not request always:true and has default autonomous invocation allowed (normal). It does not request system-wide config paths or other skills' credentials. No elevated persistence is requested.