Back to skill
Skillv0.1.0
ClawScan security
Pointsyeah Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 12:03 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requirements and runtime instructions are proportionate to its stated purpose, though the SKILL.md expects a local CLI package that is not included in the bundle.
- Guidance
- This skill is instruction-only: it documents how to use a 'pointsyeah' CLI but does not include the CLI code. Before running the shown 'uv pip install -e .' or 'uv tool install -e .' commands, verify the actual package source (a trusted repository or release). Do not pip-install or run editable installs from an untrusted directory. Note the --open flag will open generated URLs in your browser; only open links you trust. If you want the agent to run this autonomously, be comfortable that it may open external URLs on your behalf. If you expect the skill to provide the CLI itself, ask the publisher or obtain the official package source first.
Review Dimensions
- Purpose & Capability
- noteThe skill's description says it provides a CLI to generate PointsYeah deep links. The SKILL.md gives commands and install instructions for a 'pointsyeah' package, but the bundle contains no code or install spec — so the skill is purely instructional and assumes the CLI is provided elsewhere. This is a minor incoherence (missing packaged CLI) but not an obvious security mismatch.
- Instruction Scope
- noteInstructions are focused on generating flight/hotel deep links and running the CLI (including an --open flag to open links in a browser). They also show how to run a local pip editable install and tests. The instructions do not request or read credentials, system files, or external endpoints beyond opening a browser. The only scope oddity is instructing a local 'pip install -e .' despite no packaged code in the bundle.
- Install Mechanism
- okThere is no install spec in the registry metadata (instruction-only). The SKILL.md suggests using 'uv pip install -e .' or 'uv tool install -e .' which are local editable installs rather than downloading arbitrary remote archives. No downloads, extract steps, or external package pulls are specified in the skill metadata.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths and the instructions do not reference secrets. The requested environment access is proportionate to the stated functionality.
- Persistence & Privilege
- okThe skill is not always-enabled and uses default autonomous-invocation settings. It does not request persistent system-wide changes or alter other skills. No elevated persistence privileges are requested.