Skillv1.0.0

ClawScan security

Usaspending · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 6:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (a USAspending.gov CLI) and do not request credentials or perform unexpected network exfiltration.
Guidance: This skill appears to be a straightforward CLI wrapper for the USAspending API and does not request credentials. Before installing, you may want to: 1) confirm the author/homepage (agxntsix.ai) if provenance matters, 2) run the script in a sandbox or isolated environment the first time, and 3) review the bundled script (already done) if you have stricter requirements — note the unused get_env helper that would read a .env file if later invoked or modified.

Purpose & Capability: okName/description match the included CLI which calls the USAspending API. The script uses only Python stdlib and issues HTTP requests to api.usaspending.gov, which is consistent with a federal spending data client.
Instruction Scope: okSKILL.md simply instructs running the bundled Python CLI against USAspending endpoints. It does not ask the agent to read unrelated files, access other services, or transmit data to unexpected endpoints.
Install Mechanism: okNo install spec or external downloads are used; the skill is instruction-only with a single included Python script (stdlib-only), so nothing arbitrary is pulled from the network during install.
Credentials: noteThe skill declares no required environment variables and the CLI operates without credentials. The code contains a get_env() helper that will read a .env file in a workspace path if used, but that helper is not invoked anywhere in the script — this is unexpected but not exploitable in the current code.
Persistence & Privilege: okThe skill is user-invocable and not set to always:true. It does not modify other skills or request persistent system privileges.