Back to skill
Skillv1.0.2
ClawScan security
Pear Apple · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 10:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description, required API key, and network access are consistent with a third‑party iCloud PIM integration; nothing in the instructions asks for unrelated credentials or system access.
- Guidance
- This skill appears internally consistent, but remember: PEAR_API_KEY is powerful — it permits read/write access to your iCloud calendars, contacts, and reminders via the Pear service. Only install if you trust pearmcp.com and understand Pear's privacy policy. Prefer creating or using limited-scope API keys if Pear supports them, avoid sharing your Apple password (use Pear's dashboard and app-specific passwords for linking), and consider restricting or reviewing agent autonomy so the skill can't make unattended changes. Revoke the API key immediately if you suspect misuse.
Review Dimensions
- Purpose & Capability
- okName/description match the declared requirements: a single PEAR_API_KEY and network access to pearmcp.com are exactly what a Pear iCloud API integration would need. Requested tools (events, reminders, contacts, scheduling) align with the stated purpose.
- Instruction Scope
- okSKILL.md is an instruction-only spec describing calls to Pear's MCP tools and does not instruct the agent to read arbitrary files, other environment variables, or system-wide configuration. It notes that connecting your iCloud account requires an Apple app-specific password, but that is a user-facing Pear setup step rather than an instruction to exfiltrate local secrets.
- Install Mechanism
- okNo install spec or bundled code — instruction-only skills are lowest risk because nothing is written to disk or fetched during install.
- Credentials
- noteOnly PEAR_API_KEY is required, which is proportional to a third-party API integration. However, that single key implicitly grants read/write access to calendars, contacts, and reminders via Pear — treat it as highly sensitive and only provide it to a trusted service.
- Persistence & Privilege
- notealways:false (good). The skill can be invoked autonomously by the agent (platform default). Because the API key enables full PIM access, consider limiting autonomous actions or reviewing agent permissions if you don't want unattended changes to calendar/contacts.