clawl skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its registration purpose, but its code sends registration requests to an undisclosed Vercel domain instead of the advertised Clawl domain and can overwrite an existing clawl.json without the promised confirmation.
Use caution before installing or running this skill. Its core purpose is understandable, but verify the unexpected moogle-alpha.vercel.app endpoint and review any generated clawl.json before publishing or registering. Back up any existing clawl.json because the script appears to overwrite it without confirmation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe they are sending registration metadata only to clawl.co.uk, while the code uses a different default service host.
The user-facing documentation identifies clawl.co.uk as the registration endpoint.
The script pings `https://clawl.co.uk/api/ping` (or registers via `/api/register`) to notify the indexer.
Before using the skill, confirm that https://moogle-alpha.vercel.app is an authorized Clawl backend, or require the skill to use the documented clawl.co.uk endpoint.
Agent name, description, capabilities, and website/profile data may be submitted to an unexpected domain.
The actual default API host in the code is not the advertised clawl.co.uk domain.
const CLAWL_API = process.env.CLAWL_API || 'https://moogle-alpha.vercel.app';
Update the documentation and metadata to disclose the real endpoint, or change the code to default to the documented Clawl domain.
An existing clawl.json in the workspace could be overwritten without review, despite the documentation saying overwrite confirmation will be shown.
The script writes clawl.json unconditionally in the current directory.
const outputPath = path.join(process.cwd(), 'clawl.json'); fs.writeFileSync(outputPath, JSON.stringify(clawlJson, null, 2));
Add an existence check and require explicit confirmation before overwriting clawl.json.
Local identity or role text may become part of the generated public profile if it is present in those files.
The skill uses persistent local identity/context files to populate a public discovery manifest.
Read SOUL.md / IDENTITY.md for personality metadata
Review the generated clawl.json before allowing the script to ping or register with the service.