Back to skill
Skillv1.0.0
ClawScan security
Docs Bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 1:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only docs-fetcher that asks the agent to retrieve and cite official documentation pages; its declared requirements, lack of installs, and instructions are consistent with its stated purpose.
- Guidance
- This skill is essentially a runtime instruction for fetching and citing official docs — the content and scope are appropriate. Before enabling it, confirm how your agent's web fetch tool handles authentication and cookies: ensure it won't automatically attach unrelated tokens or cookies to fetched URLs. If you plan to fetch pages that require an API key, only provide limited-scope keys and avoid storing long-lived secrets in the agent. Finally, verify cited URLs manually when using fetched docs for production-sensitive code.
Review Dimensions
- Purpose & Capability
- okName/description (fetch current docs for coding tasks) matches the SKILL.md workflow: identify canonical doc roots, fetch quickstart/API reference/models, and use/cite them. No unrelated binaries, installs, or secrets are requested.
- Instruction Scope
- noteInstructions correctly limit actions to fetching and citing official docs. The guide references typical auth usage (Authorization: Bearer <OPENROUTER_API_KEY>) as an integration example; it does not instruct the agent to read arbitrary local files or to exfiltrate data. Consider that network fetches might inadvertently include credentials (cookies/headers) depending on the runtime web fetch tool.
- Install Mechanism
- okNo install spec or code files — lowest-risk instruction-only skill. Nothing is written to disk or downloaded by the skill itself.
- Credentials
- noteThe skill declares no required environment variables or credentials, which is proportionate. It does mention an example header value (OPENROUTER_API_KEY) for OpenRouter integrations; this is informational but could be construed as implying a credential may be used when actually integrating.
- Persistence & Privilege
- okalways is false and model invocation is normal; the skill requests no persistent presence or system-wide changes.