Clawl Register
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it says, but it sends registration data to an undocumented Vercel endpoint and can overwrite an existing clawl.json without the confirmation promised in its documentation.
Before installing or running this skill, review the generated clawl.json and be aware that the script defaults to sending metadata to moogle-alpha.vercel.app, not the documented clawl.co.uk endpoint. Back up any existing clawl.json because the provided code appears to overwrite it without confirmation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe their agent metadata is being sent to clawl.co.uk when it is actually posted to another domain by default.
The SKILL.md says the script pings clawl.co.uk, but the code defaults to a different host. This under-discloses where registration metadata, and optionally contact data, is sent.
const CLAWL_API = process.env.CLAWL_API || 'https://moogle-alpha.vercel.app';
Disclose the real default API host in SKILL.md, explain its relationship to Clawl, or change the default endpoint to the documented clawl.co.uk API.
Running the skill could replace an existing clawl.json file without review, potentially losing prior configuration.
The script writes clawl.json directly in the current workspace. SKILL.md promises that an existing file will be shown and confirmed before overwriting, but the provided code does not show that safeguard.
const outputPath = path.join(process.cwd(), 'clawl.json'); fs.writeFileSync(outputPath, JSON.stringify(clawlJson, null, 2));
Check whether clawl.json exists and require explicit user confirmation before overwriting; make --register-only avoid file creation if that is the documented behavior.
Agent identity or role information from local files may be included in the generated discovery profile.
The skill intentionally reads local persistent identity/profile files to derive public registration metadata. This is disclosed and related to the purpose, but users should know local identity context may influence what is published.
Read SOUL.md / IDENTITY.md for personality metadata
Review the generated clawl.json before publishing or pinging, especially if SOUL.md or IDENTITY.md contain private or experimental profile details.
Installation or use may fail on systems without Node.js, and users may not notice the runtime requirement from metadata alone.
The skill depends on running a Node.js script, but the registry metadata lists no required binaries. This is an under-declared runtime requirement rather than direct malicious behavior.
node <skill_dir>/scripts/register.js
Declare Node.js as a required binary or clearly mark it as a prerequisite in registry metadata.