Back to skill
Skillv1.0.0
ClawScan security
DilemmAI Competition · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:16 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's high-level purpose (browser-automating interaction with dilemm.ai) matches the instructions, but the runtime instructions ask the agent to access secrets (email login codes, a local 'secrets file', and potentially wallet connections) that are not declared — this mismatch warrants caution.
- Guidance
- This skill will automate a browser to log into dilemm.ai and may require your email 6-digit login codes, an OpenRouter API key, or a wallet connection. The manifest does not declare any required secrets or file paths, so ask the skill author to clarify exactly which files/locations will be read and why. Before installing or enabling autonomous use: (1) test with a throwaway dilemm.ai account and a disposable email, (2) do NOT expose your primary wallet or primary OpenRouter/API keys — prefer entering them manually only when you control the flow, (3) require human-in-the-loop for authentication steps (so the agent cannot read your mailbox unattended), and (4) request the author to explicitly declare any env vars/config paths the skill will access. If you cannot confirm these limits, treat the skill as potentially unsafe for accounts holding real funds or sensitive credentials.
Review Dimensions
- Purpose & Capability
- noteThe name/description align with the SKILL.md: it is explicitly a headless/browser automation integration for dilemm.ai and the instructions show exactly that. However, the SKILL.md also instructs the agent to 'check secrets file for existing OpenRouter key' and to retrieve email login codes from the user's inbox — these required accesses are not declared in the skill metadata (no required env vars or config paths). That omission is disproportionate to the declared requirements.
- Instruction Scope
- concernThe instructions explicitly tell the agent to perform browser automation, click through auth flows, and retrieve 6-digit login codes from the user's email inbox. They also reference connecting a wallet via Privy and typing an OpenRouter API key into the site. Those steps require the agent to read mailbox contents or local secret stores and to paste secrets into a third-party page. The SKILL.md gives open-ended guidance (e.g., 'check secrets file') without specifying file locations or access boundaries, which broadens what the agent may read or transmit.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or bundled code — lowest install risk. There is nothing downloaded or written by an installer in the manifest.
- Credentials
- concernThe skill declares no required environment variables or config paths, yet the runtime instructions expect retrieval of secrets (OpenRouter API key) and access to the user's email inbox and possibly wallet connection. Requiring access to these sensitive credentials is proportionate to the task only if explicitly declared and limited — here those accesses are implied but not declared, which is a red flag.
- Persistence & Privilege
- noteThe skill does not request always:true and contains no install-time persistence. It uses a browser profile name ('profile="openclaw"'), which implies reading/using a browser profile (cookies, sessions) if available — that could expose additional credentials if not isolated. Autonomous invocation is allowed by default (disable-model-invocation=false), which increases impact if secrets are accessed, but that alone is not flagged as abnormal.