ClawAudit verdict
trackyard
Licensed music search and download skill using the Trackyard API with a user-owned key; all documented network calls go to trackyard.com and there is no credential exfiltration or unusual behavior.
โ Flagged for review โ coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis โ not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (1)
Possible hardcoded credential
SKILL.md ยท code ยท API_KEY="trackyard_live_...
Permissions & capabilities
Requires 1 environment variable. (1 sensitive: TRACKYARD_API_KEY). Requires 2 system binaries. (1 elevated: curl).
Is this flag fair?
Thanks โ recorded.