Skillv1.0.0

ClawScan security

Maritime Watch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 10:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description promises cross-validated, production-grade port monitoring, but the included files are stubbed/placeholder and the implementation is not consistent with the stated capabilities.
Guidance: This skill currently contains only placeholder code and does not implement the promised functionality. It does not request secrets now, so it does not appear to exfiltrate data in its current form, but the mismatch between the documentation and the implementation is a warning sign. Before installing or using it in any environment: 1) ask the author for the full source and a verifiable homepage/origin; 2) verify which real endpoints will be called (replace example.com) and confirm whether API keys are required; 3) review any future changes to the script that add network endpoints or credential usage; 4) run and test the skill in a sandboxed environment first; and 5) do not rely on this skill for operational decisions until proper data-fetching, validation, and error handling are implemented.

Review Dimensions

Purpose & Capability: noteName and description (monitor Chornomorsk port) align with the included code's intent (fetch weather/vessel/security data). However the actual code and README are clearly incomplete placeholders (example.com endpoints, TODOs) and do not implement the cross-validation, resilience, or JSON output the description promises.
Instruction Scope: concernSKILL.md instructs the agent to provide cross-validated outputs and to be resilient to rate limits, but the runtime script simply curls placeholder example.com URLs and prints "Not implemented yet." The runtime behavior does not fulfill the documented instructions — this is a functional mismatch that could confuse users or mask later changes.
Install Mechanism: okThere is no install spec (instruction-only plus a small script). No additional packages, downloads, or extract steps are present — low install risk.
Credentials: noteNo environment variables or credentials are requested, which is consistent with the placeholder example endpoints in the script. If the skill were completed to call real vessel/weather/security APIs, those services often require API keys; the SKILL.md does not declare any required credentials, so the current manifest is incomplete relative to expected real-world needs.
Persistence & Privilege: okThe skill does not request always:true and has no install-time actions or system-wide configuration changes. Autonomous invocation is allowed (platform default) but is not combined with other high-risk factors here.