Back to skill
Skillv1.0.2
ClawScan security
IQAir Air Quality · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 2:38 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included code match its stated purpose (fetching IQAir/AirVisual AQI data) and nothing requested appears disproportionate.
- Guidance
- This skill is internally consistent: it needs only your IQAir API key and the included Python script queries the official AirVisual endpoints and prints AQI results. Before installing, verify you trust the skill source (SKILL.md lists a GitHub homepage—review that repo if you can), keep your IQAIR_API_KEY private (do not paste into public places), and be mindful of IQAir rate limits (the skill will make outbound HTTP requests to api.airvisual.com and will include your API key in those requests). If you want extra assurance, review the small scripts/get_aqi.py file (it is short and readable) and only provide the IQAIR_API_KEY environment variable rather than broader credentials.
Review Dimensions
- Purpose & Capability
- okName/description ask for IQAir API access and the skill only requests IQAIR_API_KEY; the code calls IQAir/AirVisual endpoints (api.airvisual.com) to fetch AQI and formats results—this is coherent with the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent to run the bundled Python script with city/coordinate arguments. The script only reads IQAIR_API_KEY, constructs queries to the IQAir API, handles common HTTP errors, and prints formatted output. It does not access unrelated files/paths or other environment variables.
- Install Mechanism
- okNo install spec; the skill is instruction-only with one simple included script. Nothing is downloaded or written at install time and no third-party install URLs are used.
- Credentials
- okOnly IQAIR_API_KEY is required, which is appropriate for this API-based skill. The script uses that single env var and does not attempt to read other secrets or config paths.
- Persistence & Privilege
- okalways:false and no modifications to other skills or system settings. The skill does outbound API calls when invoked; autonomous invocation is allowed by default but not excessive here.