Back to skill
Skillv1.0.1
ClawScan security
Agnost AI Analytics · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 3:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a documentation-only SDK/ingestion guide for Agnost AI analytics that is internally consistent with its stated purpose (instrumentation and event capture to api.agnost.ai) and does not request unrelated system access.
- Guidance
- This is a documentation-only SDK guide for sending analytics to api.agnost.ai — the skill itself is not installing or running code. Before you adopt it: (1) confirm the upstream SDK packages (agnost, agnostai, agnost-mcp) on npm/PyPI and verify the maintainers/publish dates and source repository; (2) avoid sending real PII or production data until you’ve validated the service and reviewed their privacy/security policies (examples show sending email, IP, and full input/output); (3) store your organization ID in a secure secret (not in code) and validate the header usage (X-Org-Id) before deploying; (4) consider using options to disable input/output capture where available (e.g., disable_input/disable_output) if you must limit sensitive data collection; and (5) exercise caution installing the referenced third-party packages — this skill only documents behavior, but installed SDKs will run code on your systems.
Review Dimensions
- Purpose & Capability
- okThe name/description match the content: SDK docs, API reference, and examples for ingesting analytics into https://api.agnost.ai. The skill does not request unrelated binaries, credentials, or system access.
- Instruction Scope
- noteInstructions and examples are limited to initializing the SDK, creating sessions/events, and sending analytics to api.agnost.ai. They show collecting user metadata (user_id, email), IP, args/results and using an org ID; this is expected for an analytics SDK but is a privacy consideration. Examples also use process.env.AGNOST_ORG_ID in sample code even though no env vars are declared by the skill.
- Install Mechanism
- okThere is no install spec — the skill is instruction-only. The examples instruct users to install packages (pip/npm) from public registries; that is normal but means risk shifts to the external packages (verify npm/PyPI publishers before installing).
- Credentials
- noteThe skill declares no required environment variables or credentials (consistent with being docs-only). However examples expect an organization ID (X-Org-Id / AGNOST_ORG_ID) which is the only credential-like parameter; no unrelated secrets (AWS keys, tokens for other services) are requested.
- Persistence & Privilege
- okalways:false and user-invocable:true (normal). The skill does not request persistent agent presence or modify other skills or system settings.