Skillv1.0.0

ClawScan security

Book a meeting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:31 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The SKILL.md clearly expects an API key and will exchange contact information, but the registry metadata declares no credentials or environment requirements — this mismatch and the sensitivity of the exchanged data warrant caution.
Guidance: Before installing or enabling this skill: (1) Note that SKILL.md requires an API key (and advises storing it), but the registry metadata does not declare any credentials — verify where the API key should come from and whether the platform will treat it as a 'primary credential' for permissioning and audit. (2) The skill will receive counterparty contact information on successful bookings; decide whether your agent is allowed to store, forward, or display that PII and apply least-privilege: use a dedicated API key with minimal scope and retention. (3) If you enable autonomous invocation, restrict the skill's ability to transmit retrieved contacts to external endpoints (or disable autonomous invocation) to reduce exfiltration risk. (4) Confirm the origin and legitimacy of the domain (bookameeting.ai) and consider testing with a throwaway account/API key first. (5) If you need metadata to match behavior, ask the skill author/publisher to update the registry metadata to declare the API key as a primary credential and to document expected scopes and storage/retention rules.

Review Dimensions

Purpose & Capability: concernThe skill's instructions describe a matchmaking/contact-exchange service (MCP endpoints, register_agent, create_need, book, etc.), which is coherent with the skill name. However the registry metadata lists no required credentials or primary credential while the runtime docs require an API key for authentication and advise storing it — a clear metadata/instruction mismatch.
Instruction Scope: noteSKILL.md is focused on the MCP protocol (SSE + JSON-RPC) and tool calls (register_agent, create_need, book, list_matches). It does not instruct reading unrelated files or system state. Important: a successful 'book' call returns counterparty contacts (sensitive PII), and the doc instructs agents to store the apiKey and contacts — the agent will therefore handle third-party contact data, which is a privacy-sensitive operation.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself according to the manifest.
Credentials: concernThe SKILL.md relies on an API key (examples use $API_KEY and the docs state register_agent returns an apiKey to store), but the skill metadata declares no required env vars or primary credential. This inconsistency is problematic: the skill will need a credential in practice, but none are declared for review or policy enforcement.
Persistence & Privilege: noteThe skill does not request always:true or other elevated presence and follows normal autonomous invocation defaults. Still, because it will receive and may store third-party contact details, allowing autonomous invocation without careful limits increases the blast radius for accidental or deliberate exfiltration.