Skillv1.0.1

ClawScan security

Miro REST API Reference · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 1:32 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only Miro REST API reference (documentation and examples) that is internally consistent with its stated purpose and does not request unusual permissions, installs, or credentials.
Guidance: This skill is a documentation/reference pack for Miro's REST API and appears coherent and low-risk. It does include sample code that uses API tokens and webhook secrets — that's normal for API docs. Before using: (1) do not paste real tokens or secrets into the skill's chat prompts; treat it like library docs, not a place to store credentials; (2) prefer storing tokens in environment variables or a secrets manager as the docs recommend; (3) verify the skill's origin if you require provenance (the source/homepage are unknown); and (4) if you plan to copy example code into production, review it for error handling, secure storage of secrets, and endpoint URLs to ensure they match official Miro endpoints.

Purpose & Capability: okThe name/description promise a Miro REST API reference and the included SKILL.md plus the referenced docs (authentication, endpoints, examples, webhooks, rate-limiting, etc.) all match that purpose. The skill does not request unrelated binaries, env vars, or config paths.
Instruction Scope: okRuntime instructions are documentation and examples for using Miro's API. The examples show typical patterns (curl, OAuth, PATs, webhook verification) but do not instruct the agent to read local files, exfiltrate data, or reach out to endpoints other than Miro or developer-controlled webhook URLs. Note: some examples reference environment variables (e.g., MIRO_TOKEN, MIRO_WEBHOOK_SECRET) — these are sample usage patterns, not skill requirements.
Install Mechanism: okNo install spec and no code files to execute; this is instruction-only, so nothing will be downloaded or written to disk during install. Low install risk.
Credentials: okThe skill declares no required environment variables or primary credential. The doc examples legitimately mention tokens and webhook secrets for using the Miro API; that is expected for API documentation. There is no disproportionate or unexplained credential request in the skill metadata or instructions.
Persistence & Privilege: okalways is false and the skill is user-invocable (normal defaults). The skill does not request persistent system presence, nor does it attempt to modify other skills or system configs.