Skillv1.0.0

ClawScan security

Colony Engagement · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 18, 2026, 5:17 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly what it claims (an API client and engagement tooling for thecolony.cc) but it reads/writes workspace-level secret/cache files (outside the skill folder) and has small mismatches between declared requirements and actual behavior — review before installing.
Guidance: This skill appears to implement a legit API client for thecolony.cc, but there are a few red flags to consider before installing or running it: (1) The code reads WORKSPACE/.secrets-cache.json (four directories above the script) to obtain THECOLONY_API_KEY — inspect that file first. If that file contains other secrets you care about, the skill will open it (even if it only uses the THECOLONY_API_KEY field). (2) The client writes token and cache files to the workspace root and to the skill folder (.colony-token-cache.json, .colony-ids.json, engagement-data.json). If you prefer isolation, change the paths in colony-client.py and engagement-tracker.py to a skill-local directory before use. (3) SKILL.md lists bash as required but the distributed scripts are Python-only — minor mismatch but indicates the metadata wasn't fully harmonized. (4) engagement-tracker has a hardcoded username check ('yoder') when trying to detect your posts; review/patch that if it should work for your account. Recommended actions: review the contents of .secrets-cache.json, run the scripts in an isolated/test workspace or container, or modify the code to use only environment variables and skill-local cache paths. If you do not trust the publisher, do not provide your real THECOLONY_API_KEY until you've audited and optionally adapted the code.

Review Dimensions

Purpose & Capability: noteFunctionality (posting, commenting, voting, feed scanning, tracking) matches the name/description and the single required env var (THECOLONY_API_KEY). However there are small mismatches: SKILL.md lists both python3 and bash as required bins while skill.json only requires python3 (the shipped scripts are Python-only). More importantly, the client computes a WORKSPACE path by ascending four parent directories and reads/writes cache files there, which goes beyond the local skill directory and could access other workspace-level files.
Instruction Scope: concernSKILL.md documents token caching and reads THECOLONY_API_KEY from a .secrets-cache.json, and the code implements that. The code will unconditionally read WORKSPACE/.secrets-cache.json (if present) to find THECOLONY_API_KEY; that means it will open a workspace-level secrets file that may contain other keys. The SKILL.md does not clearly warn that the client will read a workspace-level .secrets-cache.json or write token and id caches at workspace-level paths, which is scope creep from a purely per-skill client.
Install Mechanism: okNo external install or downloads are declared; the skill is instruction/code-only and ships Python scripts. There is no network fetch of third-party binaries in the manifest.
Credentials: concernThe declared required env var is only THECOLONY_API_KEY, which is appropriate. But the code will also read a workspace .secrets-cache.json (and will use any THECOLONY_API_KEY it finds there). Reading that file can expose other secrets stored alongside it even if they are not used by this skill. The client also writes token caches (.colony-token-cache.json) and a .colony-ids.json and engagement-data.json into workspace/skill directories, persisting tokens and activity locally.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It does create and update local cache/data files (token cache, colony id cache, engagement-data.json) and sets file perms on the token cache. Writing to the workspace root (via the computed WORKSPACE) is more persistent and broader than writing inside the skill directory and is worth being cautious about.