Back to skill
Skillv1.0.0
ClawScan security
Modern URL shortening with QR codes and detailed analytics · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:41 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a URL-shortening/QR/analytics integration: it only asks for a single JO4_API_KEY and provides explicit curl examples against jo4-api.jo4.io, with no unexpected installs or file access.
- Guidance
- This skill appears coherent, but treat JO4_API_KEY as sensitive: only provide an API key you control and is scoped appropriately. Verify the jo4.io domain and API docs (check TLS cert and site reputation) before entering keys. If possible, create a limited-scope or test API key and monitor its usage/rotation. Review your privacy needs — the service collects click analytics and geolocation/referrer data — and avoid placing a production key in shared environments. If you want to be extra cautious, exercise the anonymous public endpoints first and confirm behavior before granting an authenticated key.
Review Dimensions
- Purpose & Capability
- okName/description (URL shortener, QR, analytics) align with required artifact: a JO4_API_KEY and API endpoints at jo4-api.jo4.io. Nothing requested (no extra credentials or system access) appears out of scope.
- Instruction Scope
- okSKILL.md contains explicit curl commands against documented endpoints and only references the declared JO4_API_KEY environment variable. It does not instruct reading other files, scanning system state, or sending data to unexpected endpoints.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk or downloaded during install — lowest-risk install posture.
- Credentials
- okOnly one environment variable (JO4_API_KEY) is required and is the expected credential for the service. No unrelated secrets, config paths, or multiple credentials are requested.
- Persistence & Privilege
- okalways is false and there is no request to modify other skills or system settings. The skill allows autonomous invocation by default (disable-model-invocation=false), which is platform-normal and not combined with other red flags here.