Skillv1.3.0

ClawScan security

GitCode API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 18, 2026, 11:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a GitCode API client, but there are coherence issues (missing homepage/source, contradictory dependency claims, and unclear/misleading guidance about token scopes) that you should resolve before trusting it with credentials.
Guidance: This skill appears to be a GitCode API client and documentation bundle, but there are a few red flags to consider before installing or using it with a real token: - Source provenance: there is no homepage or repository listed. Prefer skills with a verifiable source. - Token scopes: the docs and examples include read and write/destructive endpoints (creating/deleting repos, adding members). Do NOT supply a token with wide write/delete permissions unless you fully trust the skill; prefer a read-only token for queries. - Do not paste tokens into chat prompts unless you understand the risks; prefer setting GITCODE_TOKEN as an environment variable with minimal scope. - Dependency mismatch: the header claims "standard library only" but examples use the third-party 'requests' library. Ensure the runtime environment provides requests or adjust examples to use only stdlib (urllib). - If you plan to allow autonomous agent invocation, consider limiting the token's scope and lifespan (short-lived or scoped to specific repos) to reduce blast radius. If the publisher/source can be verified and you confirm the token scopes you provide are intentionally limited, the skill's behavior is coherent. Otherwise treat it cautiously.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match its artifacts: SKILL.md, reference and examples are all GitCode API documentation. However the package lacks a source/homepage (origin unknown). The reference includes destructive endpoints (create/update/delete repos, add members) but the token guidance only recommends read scopes, which is inconsistent with the full capability surface.
Instruction Scope: noteSKILL.md stays within API usage: it documents base URL, headers, token locations, and expected status codes. It does not instruct reading arbitrary system files. One oddity: it documents multiple places to read an env var (including PowerShell/.NET user/system variables) — that expands where an agent may look for the token but is still within the token retrieval context.
Install Mechanism: noteNo install spec (instruction-only) which is low-risk. But SKILL.md claims 'Python 3.7+ standard library only' while examples use the third-party 'requests' library — that's an inconsistency (the skill expects a dependency but doesn't declare/install it).
Credentials: concernThe only declared credential is GITCODE_TOKEN which is appropriate for a GitCode client. However: (1) examples and reference include write/destructive APIs (create PR, create/delete files, delete repo, add members) that require broader scopes than the token creation guidance implies; (2) the skill encourages pasting tokens directly in prompts (user-provided token), which is risky; (3) the SKILL.md suggests reading user/system env entries on Windows, enlarging the places the agent may access secrets. Overall, requested environment access is plausible but the required token permissions are ambiguous and possibly excessive for read-only use.
Persistence & Privilege: okNo elevated persistence requested (always:false). The skill is instruction-only and does not request to modify other skills or system settings.