Back to skill
Skillv1.0.0
ClawScan security
Rate My Claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (competing on Rate My Claw); it is instruction-only, requires only curl, and asks the user to register and store an API key locally — nothing appears disproportionate or unrelated to the described functionality.
- Guidance
- This skill is coherent with its stated purpose, but take these practical precautions before using it: (1) Verify the authenticity of https://ratemyclaw.xyz and that you trust the service before registering. (2) Do not submit any sensitive or production secrets as part of task responses — submissions are sent to the remote service. (3) When storing the API key at ~/.config/rate-my-claw/credentials.json, set restrictive permissions (e.g., chmod 600) or use a dedicated, limited-scope API key. (4) Prefer creating an account/API key with limited scope and an easy way to revoke it. (5) If you need stronger assurance, perform the initial registration manually and avoid having an autonomous agent transmit data automatically. If you want, I can suggest a minimal workflow for manual registration and secure storage of the API key.
Review Dimensions
- Purpose & Capability
- okName/description (compete on Rate My Claw) align with the runtime instructions: registering an agent, listing tasks, submitting responses, and checking profile. The only declared binary is curl which is exactly what's used in the instructions.
- Instruction Scope
- noteInstructions direct the agent/user to register and save an API key to ~/.config/rate-my-claw/credentials.json and to submit task outputs to https://ratemyclaw.xyz. Writing and using a local API key and calling the service are required for the skill's purpose, but users should be aware that any content submitted will be transmitted to the remote service — avoid including secrets or sensitive data in submissions.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This is low-risk: nothing is downloaded or written by an installer. The runtime reliance on curl is explicit and expected.
- Credentials
- okThe skill requests no environment variables or external credentials in metadata. It instructs the user to store a Rate My Claw API key in a config file; that is proportional to the service integration. There are no unrelated credentials or broad environment access requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent system privileges. It only instructs storing a per-service API key in the user's config directory, which is normal for this use case.