Back to skill
Skillv1.0.0
ClawScan security
Category Selection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 9:10 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent for performing Amazon category analysis via the Sorftime MCP API and does not request unrelated credentials or hidden endpoints, but there are minor inconsistencies and missing dependency/deployment information you should review before running it.
- Guidance
- This skill appears to do what it claims: call a Sorftime MCP API, parse SSE results, score categories, and generate reports. Before installing/running: 1) Inspect your .mcp.json (or how you supply the Sorftime API key) — the scripts will read it and extract the key; remove or rotate keys you don't want the skill to access. 2) Run the Python scripts in a controlled environment (virtualenv/container) after installing required packages (requests, and likely openpyxl/pandas if you need Excel output). 3) Review the included scripts (they are not obfuscated) to confirm you’re comfortable with file writes (reports, execution.log, parse_debug.txt). 4) Note the small inconsistency: some docs reference an env var (SORFTIME_API_KEY) while analyze_category.py currently prefers .mcp.json — decide which you prefer and adjust code accordingly. 5) If you’ll run this on sensitive hosts, run it in a sandbox first to verify behavior and outputs.
Review Dimensions
- Purpose & Capability
- okThe name/description (Amazon category selection and report generation) matches the actual behavior: scripts call Sorftime MCP endpoints (category_report, product_detail, etc.), parse SSE responses, compute the five-dimension scores, and generate Markdown/Excel/HTML reports. Required network access to mcp.sorftime.com is expected for this purpose.
- Instruction Scope
- noteSKILL.md and scripts instruct the agent/user to call Sorftime MCP APIs and to run the included Python scripts which will read/write report files (category-reports/, execution.log, data.json, etc.). The workflow explicitly reads a local .mcp.json for an API key and writes logs and multiple output files — this is consistent with the skill purpose but means the skill will access local configuration and create files. There is no instruction to read unrelated system files or to send data to third-party endpoints beyond Sorftime.
- Install Mechanism
- concernThere is no install spec despite many Python scripts. The code imports third-party libraries (requests, and likely openpyxl/others in Excel-generation scripts), but dependencies are not declared. Running the scripts without verifying and installing needed Python packages could cause surprises. No arbitrary download URLs or obfuscated installers were found, but missing dependency and runtime environment guidance is a gap you should address.
- Credentials
- noteThe skill does not request unrelated credentials; it uses an API key for Sorftime MCP. The code auto-loads the API key from a local .mcp.json (and some documentation mentions an env var SORFTIME_API_KEY). This is proportional to the stated purpose, but there is some inconsistency across files/docs about whether the env var is consulted. The script will read a local configuration file (.mcp.json) which may contain sensitive keys — review that file before running.
- Persistence & Privilege
- okThe skill is not set to always:true and does not request elevated agent privileges. It writes reports and logs to its own output directories, which is expected. It does not modify other skills or system-wide agent configuration.