Skillv1.0.0

ClawScan security

Raindrop Io · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 27, 2026, 9:10 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims a Raindrop.io integration but the runtime instructions and metadata are just a generic unfinished template — it lacks the authentication, API calls, or any concrete behavior needed to do what it says.
Guidance: This skill appears to be an unfinished template rather than a working Raindrop.io integration. Do not rely on it to access or manage bookmarks yet. Before installing or enabling it, ask the publisher to provide: (1) a completed SKILL.md with concrete runtime behavior and example requests, (2) the authentication method (OAuth flow or API token) and the exact environment variables required (e.g., RAINDROP_TOKEN) and why they are needed, (3) the API endpoints called and any external domains the skill will contact, and (4) storage/retention details for any tokens. If the author cannot supply those, treat the skill as non-functional. When it does request credentials, prefer least-privilege tokens, verify the skill's source/homepage, and avoid providing high-privilege secrets until you confirm the implementation and hosting are trustworthy.

Purpose & Capability: concernThe name/description promise integration with Raindrop.io, however the package declares no environment variables, no primary credential, no endpoints, and the SKILL.md contains only template TODOs. A real Raindrop.io integration would need authentication (API token or OAuth flow) and concrete API usage; those are missing, so the declared purpose and the actual content are inconsistent.
Instruction Scope: noteSKILL.md is an unfinished template with high-level guidance about how to structure a skill but contains no runtime commands, no references to Raindrop APIs, no file or env access, and no instructions to call external services. The instructions are vague and incomplete (granting the agent broad discretion if later filled in), but currently do not perform suspicious actions.
Install Mechanism: okThere is no install spec and no code files. That is low-risk for now because nothing is downloaded or written to disk.
Credentials: concernA Raindrop.io skill would normally require at least one credential (API token or OAuth client credentials). The absence of any declared env vars or primary credential is disproportionate to the stated purpose and suggests the metadata is incomplete or the skill was published prematurely.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation allowed. There is no indication this skill requests persistent or elevated privileges.