Skillv1.0.0

ClawScan security

Answeroverflow 1.0.2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 13, 2026, 7:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose — it only contains instructions to search and fetch public Answer Overflow pages and does not request credentials, install software, or access unrelated system data.
Guidance: This skill appears to be what it says: it uses web_search and web_fetch to find and retrieve public Answer Overflow pages. Before installing, be aware that queries and fetched content are sent to external sites (answeroverflow.com and search engines). Avoid sending sensitive or proprietary code/snippets in queries. Note the minor metadata mismatches (ownerId/version) — these are administrative inconsistencies you may want to verify with the publisher. If you expect to use any private MCP API features, confirm whether authentication is required and how credentials would be provided (none are declared here). Otherwise this instruction-only skill is low-risk and coherent with its purpose.

Review Dimensions

Purpose & Capability: noteThe name and description match the SKILL.md instructions: all guidance is about using web_search/web_fetch to find and fetch Answer Overflow pages. No credentials, binaries, or installs are required, which is appropriate for indexing public Discord content. Minor metadata inconsistencies exist: the registry metadata (ownerId and version) does not match the _meta.json contents, and the skill source/homepage are marked unknown/none while the SKILL.md lists site/docs/discord URLs — these are administrative mismatches but do not change the runtime behavior.
Instruction Scope: okSKILL.md instructs the agent to run web_search (Google-like site: queries) and web_fetch to retrieve markdown pages from answeroverflow.com. It does not instruct reading local files, environment variables, or unrelated system paths, nor does it direct data to unexpected endpoints. It mentions an MCP endpoint and its tools but does not include instructions that require hidden credentials or other out-of-scope actions.
Install Mechanism: okThere is no install spec and no code files — this is instruction-only. That minimizes disk writes and third-party package installation risk.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. For a read-only search/fetch skill on public content, this is proportionate. Note: if the MCP API actually requires auth in practice, no credentials are declared here — you would need to provide them separately, but the SKILL.md does not request them.
Persistence & Privilege: okThe skill is not always-enabled (always: false) and is user-invocable. disable-model-invocation is false (autonomous invocation permitted) which is the platform default and acceptable for this kind of read-only lookup skill. The skill does not request to modify agent/system configuration or persist credentials.