Sure
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill makes a disclosed Sure API request using your API key to list financial account amounts, which is sensitive but matches the stated purpose.
Install only if you trust the Sure instance you configure. Use a least-privilege API key, verify SURE_BASE_URL before running the request, and avoid sharing the returned financial account data.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process using this skill with your environment variables can request account amounts from the configured Sure instance.
The skill asks the user to provide an API key and sends it to the configured Sure API endpoint to retrieve account information. This is expected for the stated financial reporting purpose, but it grants access to sensitive account data.
export SURE_API_KEY="YOUR_API_KEY" export SURE_BASE_URL="YOUR_BASE_URL" ... curl -H "X-Api-Key: $SURE_API_KEY" "$SURE_BASE_URL/api/v1/accounts"
Use a limited or read-only Sure API key if available, set SURE_BASE_URL only to a trusted Sure instance, and revoke the key when it is no longer needed.
If SURE_BASE_URL is set incorrectly or maliciously, the API key could be sent to the wrong server.
The skill uses a raw curl command with a user-configured base URL. The command is narrow and purpose-aligned, but users should ensure the configured URL is correct before sending the API key.
curl -H "X-Api-Key: $SURE_API_KEY" "$SURE_BASE_URL/api/v1/accounts"
Double-check SURE_BASE_URL before use and prefer HTTPS endpoints you control or trust.