Back to skill
Skillv1.0.0
ClawScan security
Keepa Api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 2, 2026, 11:47 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a coherent Keepa API client, but its declared metadata omits the fact that it requires and reads a Keepa API key and user/project config files — an inconsistency you should review before installing.
- Guidance
- This skill is a simple wrapper around the official Keepa API and the code and docs are consistent with that function, but the published metadata omitted that it needs your Keepa API key and reads/suggests saving a config file at .teamclaw-skills/keepa-api/CONFIG.md or ~/.teamclaw-skills/keepa-api/CONFIG.md. Before installing: (1) review the included scripts/keepa.sh to confirm it only calls api.keepa.com and does not send your key elsewhere (it does not in the provided code); (2) prefer exporting KEEPA_API_KEY in your session instead of writing the key to a shared project file if you are concerned about persistence; (3) verify the skill source/author (no homepage and unknown owner); and (4) be aware Keepa requests consume tokens/costs on your Keepa account. If you are uncomfortable storing an API key for an unknown/unsigned skill, do not install or run it until you host/inspect it locally or obtain it from a trusted source.
Review Dimensions
- Purpose & Capability
- concernName/description match the included code: this is a Keepa API client that queries api.keepa.com. However the registry metadata declares no required environment variables or credentials, while the shipped script and SKILL.md clearly expect a Keepa API key (KEEPA_API_KEY) and configuration files under .teamclaw-skills/keepa-api/CONFIG.md or ~/.teamclaw-skills/keepa-api/CONFIG.md. That mismatch is inconsistent and worth scrutiny.
- Instruction Scope
- okThe SKILL.md and scripts stay within the stated purpose: they ask for API key, marketplace, days, then use curl to call api.keepa.com and jq to parse results. The instructions reference only Keepa endpoints and local config paths; there are no hidden remote endpoints or broad system file collection steps.
- Install Mechanism
- okNo install spec is provided (instruction-only with a bundled shell script). This is low-risk from an install perspective, but the shipped script will be executed by the agent/runtime if invoked — review the script before running.
- Credentials
- concernThe skill requires a Keepa API key and supports env vars (KEEPA_API_KEY, KEEPA_DOMAIN, KEEPA_OUTPUT_FORMAT, KEEPA_DEFAULT_DAYS) and reads user/project config files, but the skill metadata did not declare any required env vars or a primary credential. Requiring an API key is reasonable for the purpose, but the omission in metadata is an inconsistency that could cause users to unintentionally expose credentials.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It reads configuration from project/user paths under .teamclaw-skills which is scoped to the user/project and is a normal place to persist credentials/configuration for a skill.