EzyHost
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only EzyHost skill is coherent and purpose-aligned, but it gives an agent API-key access to manage live website resources, including destructive actions.
Install this only if you want your agent to manage EzyHost sites through your API key. Before using it, make sure the key is dedicated and revocable, and require explicit confirmation for actions that publish, modify, roll back, bulk-delete, or delete website content.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can act with the permissions of the provided EzyHost API key.
The skill clearly requires an API key to act on the user's EzyHost account, but the sensitive-data metadata says credentials are false, which may understate the importance of the credential.
All API requests require an API key passed as a header: x-api-key: $EZYHOST_API_KEY ... sensitive_data: credentials: false
Use a dedicated, revocable API key with the minimum permissions available, and rotate or revoke it if the skill is no longer needed.
A mistaken or overly broad request could delete a live project or remove hosted files from the user's EzyHost account.
The API documentation includes irreversible destructive operations on hosted website projects and files. This is consistent with a site-management skill, but it is high-impact if used accidentally.
DELETE /api/projects/:id ... Deletes the project and all associated files from storage. This cannot be undone.
Confirm project IDs and ask for explicit user approval before delete, bulk-delete, rollback, or AI auto-fix actions.