ClawDiscover
PassAudited by ClawScan on May 1, 2026.
Overview
ClawDiscover appears to be a coherent instruction-only discovery skill, with disclosed external polling, optional paid endpoints, and optional webhook notifications that users should configure carefully.
This skill looks safe to install as documentation, but enable automation deliberately: keep polling on the free endpoint unless you approve paid x402 use, protect any webhook URL, and have the human review newly discovered services before the agent uses or installs them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could continue checking ClawDiscover periodically in the background if you add the heartbeat or cron configuration.
The skill recommends recurring autonomous polling. This is disclosed and purpose-aligned, but it means the agent may keep contacting the external service until the schedule is removed.
Add to your heartbeat checks (every 6 hours recommended)
Only enable the schedule if you want recurring checks, keep the action limited to notification, and avoid automatic installation or use of discovered services.
If configured with x402 payment capability, the agent could incur small charges when using premium discovery, feed, or subscription endpoints.
The skill documents optional paid API endpoints. The costs are disclosed and no credential capture is shown, but using them may require payment authority.
Paid Endpoints (x402) ... GET /api/v1/discover | $0.001 ... POST /api/v1/subscribe | $0.01
Set explicit spending limits or approval requirements for x402 requests, especially before combining paid endpoints with scheduled checks.
Your agent may expose a callback endpoint and receive external notifications that should not be treated as trusted instructions.
The subscription example shares an agent identifier, categories of interest, and a webhook URL with the external service, and it implies inbound webhook messages.
POST /api/v1/subscribe ... {"agentId":"myagent","categories":["trading"],"webhookUrl":"https://myagent.com/webhook"}Use a dedicated webhook URL with authentication or a secret, verify message origin, and treat webhook payloads as untrusted data for human review.