Skillv1.0.0

ClawScan security

API Contract Tester · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions largely match an API contract tester's purpose, but the skill's metadata omits required tools and environment variables and the runtime steps can read and act on arbitrary repository files and install packages — these mismatches warrant caution.
Guidance: This skill's behavior is plausible for API contract testing, but the registry entries omit key runtime requirements. Before installing or running it: (1) require the publisher to declare needed binaries (git, python3, pip, pact-verifier, rg) and env vars (BASE_URL, PROVIDER_URL) so you can audit them; (2) run the skill in an isolated environment or container/CI job to avoid exposing repository secrets and to contain any runtime pip installs; (3) verify any on-demand installs (pip) are from trusted packages and consider pre-installing vetted tooling; (4) ensure the workspace doesn't contain sensitive tokens the skill could read; and (5) ask the publisher for a homepage or source repository so you can review the exact commands and sample outputs. These steps will reduce risk and clarify whether the missing metadata was an oversight or a red flag.

Review Dimensions

Purpose & Capability: concernThe SKILL.md expects tools and data typical for contract testing (git, python3, pip, pact-verifier, requests/pytest, ripgrep/rg, and environment variables like BASE_URL and PROVIDER_URL), but the registry metadata declares no required binaries or env vars. That discrepancy is incoherent: someone building this skill would reasonably need to declare those runtime dependencies and primary credentials/endpoints.
Instruction Scope: concernRuntime instructions tell the agent to search the repository (find, rg), read files (OpenAPI specs, pacts, git history), make network requests against provider endpoints, and optionally pip install validator packages. These actions are within the stated purpose but are broad — they enable reading arbitrary repo files and making outbound requests, which can surface secrets or transmit data if the working directory contains sensitive information. Also several variables (BASE_URL, PROVIDER_URL) are referenced but not declared.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing will be written by a package installer up-front. However, the instructions include runtime operations that install packages (pip install openapi-spec-validator) and expect external tooling (pact-verifier). Relying on on-demand pip installs is less safe than declaring and vetting an install step and means arbitrary code can be pulled during execution.
Credentials: concernThe skill declares no required env vars, yet the instructions reference BASE_URL and PROVIDER_URL and implicitly expect potentially sensitive auth info when testing secured endpoints. It also directs searching consumer codebases for call sites, which could expose tokens/credentials embedded in code. The lack of declared env vars and credential guidance is a mismatch and increases risk.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent modifications to agent configuration or other skills. It writes temporary files (e.g., /tmp/old-spec.yaml) and may install packages at runtime, but it does not request elevated platform privileges in the metadata.