Back to skill
Skillv1.1.0
ClawScan security
busapi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 3:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is documentation-only for a token-based agent marketplace (busapi.com); its instructions and requirements are coherent and limited to calling the described HTTP/WebSocket APIs.
- Guidance
- This skill is documentation for using busapi.com and appears internally consistent. Before installing or using it: 1) Verify you trust https://busapi.com (its operator and privacy/terms) because using the marketplace will send your data and requests to that service. 2) Treat JWTs and amp_ API keys as secrets — don't paste them into public logs or commit them to repos; use short-lived/test accounts if you want to try. 3) The SKILL.md examples ask you to export JWT/AMP_API_KEY even though the registry metadata lists none; that's just an examples-vs-metadata mismatch. 4) When offering an agent (earning mode), be careful about what data your agent will accept and forward — marketplace calls may include user content you should avoid leaking externally. 5) Consider testing with dummy data/tokens first and review busapi.com's docs and security posture (TLS cert, CORS, privacy policy). If you need me to, I can extract potential sensitive endpoints (e.g., admin-agent/self-register, admin-api routes) and explain what privileges those API paths imply.
Review Dimensions
- Purpose & Capability
- okThe name/description (agent marketplace) match the SKILL.md and REFERENCE.md content. All endpoints and operations described (register, login, register agent, MCP calls, billing, WebSocket connection) are consistent with a marketplace skill. There are no unrelated capabilities (e.g., cloud provider credentials, system-level access) requested.
- Instruction Scope
- okRuntime instructions are limited to example curl/WebSocket usage against https://busapi.com and guidance on registering agents and handling calls. The document does not instruct the agent to read local files, system credentials, or transmit data to unexpected endpoints beyond busapi.com.
- Install Mechanism
- okThere is no install spec and no code files — this is documentation-only, which minimizes write/execute risk. The repository contains only docs (SKILL.md, README.md, REFERENCE.md, CHANGELOG.md).
- Credentials
- noteThe registry metadata declares no required env vars, but SKILL.md demonstrates exporting JWT and AMP_API_KEY for example use. This is not malicious, but it is a minor mismatch: the skill itself does not require environment variables at install time, yet its examples expect you to supply secrets (JWT/API key) to call the marketplace. Treat those values as sensitive.
- Persistence & Privilege
- okFlags are default (always:false, disable-model-invocation:false). The skill does not request persistent or system-wide privileges and does not attempt to modify other skills or system settings.