Back to skill
Skillv1.0.1
ClawScan security
Plausible Analytics · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 4:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variables are coherent with its stated purpose (querying Plausible Analytics) and do not request unrelated access.
- Guidance
- This skill appears to do exactly what it claims: run Node scripts that query plausible.io using your PLAUSIBLE_API_KEY. Before installing, ensure you: (1) only provide a Plausible API key you trust and be careful not to paste it into chat; (2) run the scripts in an environment with Node (Node 18+ recommended for global fetch) and isolate credentials (use a scoped/limited key if Plausible supports it); (3) review/rotate the API key if you later uninstall or suspect misuse; and (4) verify network egress to plausible.io is acceptable in your environment. The code is small and readable, but treat any API key as sensitive.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: the skill needs a Plausible API key and runs Node scripts that call plausible.io endpoints to fetch stats, realtime visitors, and breakdowns. There are no unexpected credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md and the three scripts only instruct running Node scripts that call Plausible API endpoints. The scripts read only the declared env vars (PLAUSIBLE_API_KEY and optional PLAUSIBLE_SITE_ID) and CLI arguments; they don't access other system files, services, or external endpoints beyond plausible.io.
- Install Mechanism
- okNo install spec; this is instruction+script based. All included code is small, readable, and makes HTTPS calls to plausible.io. There are no downloads from arbitrary URLs, no archive extraction, and no package installation specified by the skill itself.
- Credentials
- okOnly PLAUSIBLE_API_KEY is required (PLAUSIBLE_SITE_ID optional). That is appropriate and proportionate for a Plausible Analytics integration. No unrelated secrets or broad system credentials are requested.
- Persistence & Privilege
- okalways is false, the skill does not request permanent/system-level presence, and the scripts do not modify other skills or system-wide configuration.