Back to skill
Skillv1.0.0
ClawScan security
AI PC Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 11:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and external endpoint are consistent with its stated purpose (querying Newegg's PC Builder MCP); it requests no credentials and has no install step, but it will send user queries to the Newegg endpoint so consider privacy before enabling.
- Guidance
- This skill appears to do what it claims: it queries Newegg's PC Builder MCP and returns build/compatibility info. Before installing, consider: (1) Privacy — any user text you pass (including component lists or system details) will be sent to https://apis.newegg.com/ex-mcp/endpoint/pcbuilder; avoid sending sensitive data. (2) Autonomy — the skill's instructions tell the agent to trigger for many PC-related prompts, so it may call the external API without an explicit user approval each time. (3) Testing — run the bundled list_tools locally (python scripts/mcp_client.py list_tools) to see what tools the MCP exposes and to verify responses. If you require API keys, confirm with the provider how auth is handled; this skill currently sends unauthenticated requests. If those behaviors are acceptable, the skill is internally coherent.
Review Dimensions
- Purpose & Capability
- okThe name/description match the included script and SKILL.md: both describe discovering and calling tools on the Newegg MCP endpoint. There are no unrelated env vars, binaries, or config paths requested.
- Instruction Scope
- noteSKILL.md instructs the agent to always call list_tools then pick and call a tool based on the LLM's interpretation. This is coherent for a dynamic MCP client, but grants the agent discretion to call an external service whenever it deems a user intent matches (the skill even instructs to trigger on many PC-related prompts). That broad trigger/automatic decision-making is expected for this type of skill but increases the chance user queries will be sent to the remote API.
- Install Mechanism
- okInstruction-only with a small Python script bundled; there is no installer or third-party downloads. The script uses only the Python standard library and does not write files or install packages.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The script communicates directly with the documented Newegg MCP endpoint; no unrelated secrets are requested. Note: user-provided query text and any data mapped into tool arguments will be sent to the remote service.
- Persistence & Privilege
- okThe skill is not force-installed (always: false) and does not attempt to modify other skills or system settings. Autonomous invocation is allowed (platform default) but is not combined here with elevated privileges or credential access.