Back to skill
Skillv1.0.2
ClawScan security
Synero · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 3:42 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a straightforward client that posts prompts to Synero's API and returns a synthesized answer; its behavior matches the description, but there is a metadata inconsistency about required credentials you should be aware of.
- Guidance
- This skill appears to do what it says: a local Python CLI that sends your prompt to Synero's API (default https://synero.ai/api/query) and prints a synthesized reply. Before installing: (1) Note the manifest inconsistency — SKILL.md and the script require SYNERO_API_KEY but the registry metadata omitted it; confirm you are willing to provide that API key. (2) Verify the service URL and origin (source/homepage unknown) and that you trust synero.ai to receive your prompts. (3) Review the included Python script (it’s small and readable) to confirm it matches your expectations; it only uses standard library urllib and reads no other local secrets. (4) Limit API key scope where possible and avoid putting highly sensitive data into prompts. If you want stronger assurance, ask the publisher to fix the metadata to declare SYNERO_API_KEY as required and provide a homepage/source repo.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description, SKILL.md, and the bundled Python script all consistently implement a client that sends prompts to a Synero council API and streams/parses SSE. This matches the stated purpose. Note: the registry metadata listed no required env vars, but SKILL.md and the script require SYNERO_API_KEY — an inconsistency in the manifest.
- Instruction Scope
- okRuntime instructions and the script stay within scope: they build a JSON payload from the prompt and optional model overrides, POST to the configured SYNERO_API_URL (default https://synero.ai/api/query), read SSE events, and print synthesis or raw events. The script only reads environment vars that configure the API URL, timeout, model overrides, and the API key; it does not access unrelated files, secret stores, or other system credentials.
- Install Mechanism
- okNo install spec; this is instruction-only plus a small Python script. There are no remote downloads or package installs in the skill bundle, so nothing arbitrary will be fetched by the installer.
- Credentials
- noteThe script requires a single API credential (SYNERO_API_KEY), which is appropriate for a remote-API client. However, the registry metadata (shown to the evaluator) claimed 'Required env vars: none' while SKILL.md and the script require SYNERO_API_KEY and optionally allow model override env vars. That mismatch should be clarified before install. No other unrelated secrets are requested.
- Persistence & Privilege
- okThe skill does not request persistent/always-on privileges, does not modify other skills or system settings, and will only run when invoked. It operates as a simple command-line client.