Back to skill
Skillv1.0.1
ClawScan security
TribuRuby Training Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 4:58 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and required API key are coherent with a TribuRuby integration, but there is a metadata mismatch about required env vars that you should verify before installing.
- Guidance
- This skill appears to do what it claims: it will make HTTP requests to https://triburuby.app/api/agent and send the TRIBURUBY_API_KEY in an Authorization: Bearer header. Before installing: (1) confirm the registry entry and SKILL.md agree about required env vars (the manifest you were shown omitted the API key), (2) create an agent-scoped API key in TribuRuby with minimal permissions and do not reuse other secrets, (3) verify you trust the homepage/source (https://triburuby.app) and check network egress logs if you run the agent in a monitored environment, and (4) plan to rotate the key if you stop using the skill. If the registry/origin is unclear or you cannot confirm the API key scope, treat this as higher risk.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description describe checking in rituals, tracking streaks, and viewing tribe activity; the SKILL.md contains concrete API endpoints and an Authorization: Bearer header — this aligns with the stated purpose. However, the registry metadata earlier reported no required env vars or primary credential while SKILL.md declares TRIBURUBY_API_KEY (primaryEnv). That metadata mismatch is an inconsistency that should be resolved.
- Instruction Scope
- okThe runtime instructions are narrowly scoped to calling TribuRuby agent endpoints (authentication check, discover tribes, context, activity, check-in). They do not instruct reading unrelated files, system paths, or other environment variables.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files, so nothing will be written to disk by an installer. That is the lowest-risk install pattern.
- Credentials
- noteSKILL.md requires a single secret TRIBURUBY_API_KEY for API calls which is proportionate for a third-party API integration. The concern is the registry metadata did not list this required env var or primary credential — verify the registry entry and ensure the key requested is the intended agent API key with least privilege.
- Persistence & Privilege
- okThe skill does not request always: true and is user-invocable; it does not request elevated persistence or modification of other skills. Autonomous invocation is allowed (platform default) but not combined with other red flags.