Back to skill
Skillv0.1.0
ClawScan security
Chaterimo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 8:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (Chaterimo customer-service API integration) and only requests a single service API key; nothing in the instructions, manifest, or install steps is disproportionate or unrelated.
- Guidance
- This skill appears coherent: it only needs your Chaterimo API key to call Chaterimo's API endpoints. Before installing, verify the vendor/site (https://www.chaterimo.com), ensure the API key you provide is scoped with least privilege (read-only if available), and avoid sharing a high-privilege key. Remember that redaction/PII claims are provided by the vendor — test on non-sensitive data first to confirm behaviour. If you have an option, create a dedicated API key you can revoke/rotate. Finally, note that the agent can call the skill autonomously (normal behavior); monitor usage and audit logs in your Chaterimo dashboard if concerned.
- Findings
[no_code_files_to_scan] expected: The regex-based scanner found nothing because this is an instruction-only skill with no code files; that is consistent with a declarative API-integration skill.
Review Dimensions
- Purpose & Capability
- okName/description match the required artifact: the skill is an instruction-only wrapper for Chaterimo's API and declares only CHATERIMO_API_KEY. Requesting the service API key is appropriate for the listed capabilities (listing chatbots, browsing conversations, fetching transcripts).
- Instruction Scope
- okSKILL.md describes calling Chaterimo REST endpoints (GET /api/...), setting CHATERIMO_API_KEY, and fetching conversation data. The instructions do not request unrelated system files, credentials, or other environment variables. Privacy/redaction claims are vendor assertions in the docs rather than additional agent behavior.
- Install Mechanism
- okNo install spec or code is included (instruction-only), so nothing is downloaded or written to disk by an installer. This minimizes installation risk.
- Credentials
- okOnly one environment variable (CHATERIMO_API_KEY) is required and is appropriate for the declared API-based functionality. No unrelated credentials or config paths are requested.
- Persistence & Privilege
- okThe skill is not forcing persistent/global inclusion (always: false) and uses normal autonomous invocation settings. It does not request to modify other skills or system-wide settings.