Back to skill
Skillv1.0.2
ClawScan security
Trackyard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 11:14 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included script are consistent with its stated purpose of searching and downloading Trackyard music and do not request unrelated credentials or installs.
- Guidance
- This skill appears coherent with its stated purpose. Before installing: (1) confirm you trust trackyard.com and that TRACKYARD_API_KEY is a legitimate key from that service; (2) be aware the script sends your API key to api.trackyard.com (expected behavior) and saves downloaded .mp3 files to the current working directory (could overwrite files with the same name); (3) the script builds JSON payloads by inserting user input directly — avoid passing untrusted or specially crafted strings as queries/filters/IDs to prevent malformed requests; and (4) if you need stronger safety, inspect or run the script in a sandbox or review/patch input sanitization before use.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, jq), and required env var (TRACKYARD_API_KEY) align with a CLI that calls Trackyard's API. The script targets api.trackyard.com endpoints and only needs an API key.
- Instruction Scope
- noteSKILL.md and the script confine activity to searching, downloading, and querying account/usage via the Trackyard API. The script sends the TRACKYARD_API_KEY as a Bearer token and writes downloaded .mp3 files to the current directory. Note: some request-body construction uses raw shell string concatenation (user-supplied filters/query/IDs are embedded into JSON payloads) which can break requests or mis-handle odd input values; this is a functional/safety note but not evidence of misaligned purpose.
- Install Mechanism
- okNo install spec; this is an instruction-only skill with an included shell script. No external packages or remote downloads beyond calls to the Trackyard API are performed during use.
- Credentials
- okOnly a single credential is requested (TRACKYARD_API_KEY) and it is the primaryEnv. That is proportionate for an API-based music-download client; no unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request or modify other skills or system-wide agent settings. It runs as-invoked and does not demand permanent elevated presence.