TOSR Test Skill
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with sufficient authority, the agent could create, change, or delete a ClawHub skill record as part of the test.
The skill is explicitly meant to perform real API mutations, including creating, updating, and deleting ClawHub skills. That is aligned with its test purpose, but it is still a high-impact capability users should notice.
This skill validates the following operations against the real clawhub API: ... Publish — Creates a new skill via POST /api/v1/skills ... Update — Publishes a new version ... Delete — Removes the skill via DELETE /api/v1/skills/{slug}Use only in a test account or workspace and confirm the target slug and expected cleanup before invoking it.
A user may not be warned by metadata that invoking the skill could rely on their ClawHub account authority.
The metadata does not declare credentials, while the described publish/update/delete operations against the ClawHub API would normally depend on account privileges. There is no evidence of credential theft or misuse, but the permission boundary is under-specified.
Required env vars: none; Primary credential: none
Confirm which account or token the agent would use before running the skill, and avoid using production or overly privileged credentials.