ClawScan security

Epragma Redmine Issue · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 26, 2026, 2:41 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (talking to a Redmine server using a URL and API key), but there are metadata/instruction mismatches and a buggy env-var handling implementation you should be aware of before using it in production.
Guidance: This skill appears to do what it says — interact with a Redmine instance using a base URL and API key — but check a few things before installing: - Verify and set the REDMINE_URL and REDMINE_API_KEY (the registry metadata omitted these even though SKILL.md and the code require them). The code also looks for REDMINE_BASE_URL as an alternate; decide which variables you'll use and be consistent. - Review and/or fix the env-var logic in scripts/lib/redmine.js: the REDMINE_URL initializer uses a startsWith check incorrectly (it may evaluate to a boolean and cause runtime errors). Consider patching that before relying on the skill in automation. - Keep your API key secret and test the skill in an isolated environment first (it will send any requests only to the configured Redmine URL). If you plan to use it in automation, ensure the agent runs with least privilege and rotate the API key if it was exposed during testing. - Ensure the Node runtime used supports global fetch (Node 18+), or add a fetch polyfill if needed. If you want higher assurance, ask the author to correct the metadata to list required env vars and to fix the env-handling bug; otherwise run the provided scripts locally against a test Redmine instance first.

Review Dimensions

Purpose & Capability: noteName/description (read/create/update Redmine issues) align with the code and instructions. The skill legitimately needs a REDMINE_URL and REDMINE_API_KEY. However, registry metadata lists no required env vars while SKILL.md and the code require them; the code also accepts REDMINE_BASE_URL as an alternate which is undocumented in SKILL.md (memory note mentions swapped env support).
Instruction Scope: okSKILL.md tells the agent to run the included Node scripts which only call the Redmine REST API. The runtime instructions and code do not reference unrelated system files or external endpoints beyond the configured Redmine base URL.
Install Mechanism: okThere is no install spec (instruction-only style). Code files are included but nothing is downloaded or auto-installed from external URLs, so install risk is low.
Credentials: noteRequested secrets (Redmine URL and API key) are proportionate to the skill. But the skill's metadata did not declare these required env vars, and the code also references REDMINE_BASE_URL and implements a swapped-vars fallback. This inconsistency could cause misconfiguration and surprises. Also the implementation of env-var handling appears buggy (see next guidance).
Persistence & Privilege: okThe skill does not request persistent/system-wide privileges and always:false. It does not modify other skills or system settings.