Skillv1.0.0

ClawScan security

Solar Cloud API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (fetching Solax inverter summaries), but there are small inconsistencies and a manual npm install step that you should review before trusting it.
Guidance: This skill appears to do what it says: use the solax-cloud-api npm package to fetch an inverter summary. Before installing or running it: 1) Verify and provide SOLAX_TOKENID and SOLAX_SN only via environment variables or secure vaults (do not paste tokens into chat). 2) Inspect the solax-cloud-api package (and its dependencies) from the npm registry before running npm install, and consider pinning/locking versions to avoid unexpected transitive packages. 3) Run npm install in a contained environment (build sandbox or CI runner) if you’re unsure. 4) Be aware the script emits the inverter serial (sn) in error output unredacted — if that is sensitive for you, modify the script to redact it. 5) Consider asking the publisher to update registry metadata to declare the required env vars and to include a lockfile to reduce supply-chain variability.

Review Dimensions

Purpose & Capability: noteThe name/description, the script (fetch_summary.mjs), and package.json all align: they load solax-cloud-api@0.2.0 and call getAPIData() -> toSummary() to produce SolaxSummary JSON. One mismatch: registry metadata lists no required environment variables, but the runtime clearly expects SOLAX_TOKENID and SOLAX_SN (or CLI args).
Instruction Scope: okSKILL.md instructs the agent to run npm install in the skill folder and then run the script with env vars or CLI args. It does not ask the agent to read unrelated files or exfiltrate data to unknown endpoints; network activity is the expected Solax Cloud API calls performed by the solax-cloud-api package. The script redacts the tokenId in error output but emits the inverter serial (sn) unredacted.
Install Mechanism: noteThere is no automatic install spec; the skill relies on a manual `npm install` in the skill workspace. That will pull solax-cloud-api from the public npm registry (moderate trust surface). No arbitrary downloads or external URLs are used. Because the skill ships a package.json without a lockfile and instructs `npm install` (not `npm ci`), the exact transitive dependency graph can vary unless you pin/lock versions.
Credentials: concernThe amount of secret access required is minimal and appropriate (a Solax tokenId and inverter serial). However, the registry metadata did not declare these required environment variables — a metadata mismatch that could cause surprise. Also note the script prints the serial number in error outputs unredacted (could reveal device identifiers); tokenId is redacted but still included in error JSON in a redacted form.
Persistence & Privilege: okThe skill does not request permanent presence (always:false), does not modify other skills or system settings, and is user-invocable only. It writes dependencies into the skill workspace only when you run npm install (manual step).