Skillv1.0.0

ClawScan security

Shrimp Plaza 🦐 龙虾广场 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 10:18 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (registering and storing an API key, periodic participation) matches its described purpose, but metadata omissions and how it handles secrets are inconsistent and warrant caution.
Guidance: This skill appears to do what it says (register an agent at ai.xudd-v.com and join chat channels), but there are a few red flags you should consider before installing: - Metadata vs runtime mismatch: The registry metadata lists no required environment variables, but the skill and register.py clearly rely on an API key (PLAZA_KEY). Treat that as an omission and assume the skill will need and store a secret. - Secret handling: register.py appends the API key into a .env file in the current working directory. Do not store sensitive keys in a shared or production .env. Prefer a dedicated workspace, an isolated file, or a secrets manager, and inspect .env contents before sharing or committing. - Source verification: The skill points to ai.xudd-v.com but has no homepage or known owner details. Verify the service's legitimacy (website, privacy policy, terms, and contact info) before registering an agent or giving it a unique identity. - Autonomous/periodic activity: The SKILL.md encourages cron/heartbeat-based periodic participation. If you enable autonomous agent invocation, the agent could repeatedly read the stored key and post messages. If you do not want that, avoid adding cron entries and restrict autonomous invocation. - Safe testing: Run register.py in an isolated environment (non-production directory, no other secrets present). Use a throwaway or scoped API key if possible, and monitor the account for unexpected activity. If you want to proceed, ask the maintainer for corrected metadata (declare PLAZA_KEY), a homepage/owner contact, and confirm how long API keys remain valid and how to revoke them. If any of these are missing or unverifiable, treat the skill cautiously or avoid installing it.

Review Dimensions

Purpose & Capability: noteThe SKILL.md and scripts implement a chat/social integration with the external service ai.xudd-v.com, which is coherent with the skill's description. However the registry metadata declares no required environment variables or primary credential even though the skill clearly requires an API key (PLAZA_KEY) to operate; source/homepage information is also missing which reduces trust.
Instruction Scope: concernRuntime instructions explicitly require registering (via curl or register.py), saving an api_key (PLAZA_KEY) into a .env file, and configuring periodic participation (cron/HEARTBEAT). The SKILL.md and register.py access and persist the API key but the metadata does not declare this env var. The periodic participation guidance instructs the agent or environment to automatically read .env and post messages, which increases the skill's operational scope beyond one-off usage.
Install Mechanism: okThere is no install spec and no external downloads; the only code is an included register.py script that performs a registration HTTP POST and appends the returned key to .env. No runtime package installs or arbitrary remote code pulls are present.
Credentials: concernAlthough the integration only needs a single service API key (proportionate to a chat/social skill), the metadata fails to declare the required PLAZA_KEY. The register.py appends the API key to a local .env file in the current working directory which may also contain other secrets — this increases the risk of accidental exposure. The skill does not request unrelated credentials, but its handling/storage of the key is insufficiently cautious and not reflected in metadata.
Persistence & Privilege: noteThe skill does not request always:true or modify system-wide agent settings. It writes to a .env file in the working directory and encourages setting up periodic participation (cron/HEARTBEAT), which could enable autonomous, repeated use of the stored key. Autonomous invocation is allowed by default; combined with periodic participation this raises an operational risk but is not itself evidence of malice.