TOSR Test Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be an instruction-only test skill, but it is designed to create, update, and delete real ClawHub skill records, so it should only be used in a test context.
Only install or invoke this skill if you intend to run a ClawHub lifecycle test. Treat it as a real registry-mutating test, verify the target slug, and use a low-privilege test account or workspace rather than production credentials.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with sufficient authority, the agent could create, change, or delete a ClawHub skill record as part of the test.
The skill is explicitly meant to perform real API mutations, including creating, updating, and deleting ClawHub skills. That is aligned with its test purpose, but it is still a high-impact capability users should notice.
This skill validates the following operations against the real clawhub API: ... Publish — Creates a new skill via POST /api/v1/skills ... Update — Publishes a new version ... Delete — Removes the skill via DELETE /api/v1/skills/{slug}Use only in a test account or workspace and confirm the target slug and expected cleanup before invoking it.
A user may not be warned by metadata that invoking the skill could rely on their ClawHub account authority.
The metadata does not declare credentials, while the described publish/update/delete operations against the ClawHub API would normally depend on account privileges. There is no evidence of credential theft or misuse, but the permission boundary is under-specified.
Required env vars: none; Primary credential: none
Confirm which account or token the agent would use before running the skill, and avoid using production or overly privileged credentials.