Back to skill
Skillv1.0.3
ClawScan security
EzyHost · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 6:35 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with a web-hosting API integration: it only needs an EzyHost API key and network access to ezyhost.io, and there is no install or extra credential demand.
- Guidance
- This skill appears coherent for controlling EzyHost via its API. Before installing: 1) Only provide an EZYHOST_API_KEY you trust — the key grants access to manage your sites; prefer a scoped/limited key if the service supports it and rotate keys if possible. 2) Confirm you trust https://ezyhost.io (billing plan required for API access was noted). 3) Be cautious when uploading content — private data you upload will be sent to EzyHost storage. 4) Note the SKILL.md states GitHub import is for public repos; do not expect private-repo access without additional credentials. 5) The metadata flag saying credentials are not sensitive looks like an oversight — treat the API key as sensitive. If you need higher assurance, ask the publisher for a signed source or an installable package with provenance before granting the API key to agents.
Review Dimensions
- Purpose & Capability
- okName/description (deploy/manage static sites) match the declared permissions and the SKILL.md endpoints. Requesting a single EZYHOST_API_KEY and network access to ezyhost.io is proportionate for this purpose.
- Instruction Scope
- okSKILL.md contains concrete REST endpoints and headers limited to ezyhost.io and describes actions (create projects, upload files, import public GitHub repos, analytics, SEO). It does not instruct reading arbitrary files, other env vars, or system paths, nor does it direct data to unexpected external endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only — so nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteOnly EZYHOST_API_KEY is required (declared as primaryEnv) which is appropriate. Minor inconsistency: metadata.sensitive_data.credentials is false despite the skill requiring an API key; this appears to be a metadata oversight but does not change the requested permissions.
- Persistence & Privilege
- okSkill is not always-enabled and uses default autonomous invocation settings. It does not request system-wide config paths or other skills' credentials.