Back to skill
Skillv1.0.0
ClawScan security
muapi-platform · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 11:59 AM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's scripts appear to do what the description says (configure a muapi CLI key and poll results) but the declared requirements and README are inconsistent with the actual scripts—verify the muapi CLI and origin before installing.
- Guidance
- This skill's scripts themselves are limited to talking to the muapi CLI, which matches the described purpose, but there are inconsistencies you should clear up before installing: 1) The scripts call a 'muapi' command but the skill metadata doesn't list 'muapi' as a required binary (and SKILL.md incorrectly lists curl). Confirm you have a legitimate muapi CLI installed and know its source. 2) Understand that adding a key via setup.sh will hand that key to the muapi CLI (and thus to the muapi service); only use keys you trust and avoid exposing high-privilege secrets. 3) If you allow the agent to invoke this skill autonomously, the agent could run the muapi CLI commands and thereby transmit configured keys—ensure the agent environment only contains keys you intend to use. If anything about the muapi CLI origin or behavior is unclear, obtain the CLI from an official source or inspect it before use.
Review Dimensions
- Purpose & Capability
- concernThe scripts call a 'muapi' CLI (muapi auth, muapi predict) which is necessary for the described functionality, but the skill metadata and SKILL.md do not declare 'muapi' as a required binary. SKILL.md lists 'curl' as a requirement even though the scripts never call curl. That mismatch between declared requirements and actual behavior is incoherent.
- Instruction Scope
- okThe runtime instructions and the two included shell scripts stay within the stated purpose: configuring a muapi API key, checking whoami, testing the key, and polling prediction results. They do not read arbitrary system files or environment variables beyond passing the provided API key to the muapi CLI. Note: using the scripts will transmit the API key and request IDs to the muapi service via the muapi CLI.
- Install Mechanism
- okThere is no install specification (instruction-only with included scripts), so nothing is downloaded or written by an installer. This lowers install-surface risk. However, the skill relies on an external muapi CLI which the user must install separately; the skill does not document where to obtain a trusted muapi binary.
- Credentials
- concernThe skill declares no required environment variables or primary credential, yet setup.sh may accept and pass an API key (it sets MUAPI_API_KEY in a single command invocation). Because the skill does not declare that it needs a muapi CLI or how credentials are stored, it's unclear what agent environment or stored credentials will be used—this lack of declared credential requirements is disproportionate to the actual action of sending an API key to the muapi CLI/service.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It is user-invocable and can be run autonomously by the agent (default), which is expected for utility scripts; combine with the above concerns about undeclared binaries/credentials when allowing autonomous invocation.