Back to skill
Skillv1.0.3
ClawScan security
Wise Read Only · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 8:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill implements a coherent read-only Wise API client that only needs a WISE_API_TOKEN and calls api.wise.com; the only notable discrepancy is the registry-level metadata that incorrectly listed no required env var.
- Guidance
- This skill appears to be what it claims: a read-only Wise API client. Before installing, verify the registry metadata mismatch (the skill requires WISE_API_TOKEN despite an earlier header saying none). Provide a least-privilege Wise API token (read-only if Wise supports scoped tokens), avoid using a highly privileged/production token for testing, and confirm the platform's UI prevents implicit invocation if you want manual control. If you ever suspect the token was exposed, revoke it immediately. If you need deeper assurance, review the script yourself (scripts/wise_readonly.mjs is included and small) or run it in a sandboxed environment first.
Review Dimensions
- Purpose & Capability
- noteThe skill's name, description, SKILL.md, .clawhub/config.toml, and the script all align: it is a read-only Wise API client. However, the top-level registry metadata (in the evaluation header) stated 'Required env vars: none' and 'Primary credential: none', which contradicts the skill files that require WISE_API_TOKEN. This appears to be a metadata mismatch (outdated or erroneous registry metadata), not a functional mismatch in the code.
- Instruction Scope
- okThe SKILL.md and the script limit behavior to GET requests against https://api.wise.com and explicitly state read-only operations and PII redaction. The script only reads command-line args and the WISE_API_TOKEN env var, formats requests, redacts certain PII fields by default, and prints JSON. There are no instructions to read arbitrary local files or send data to third-party endpoints outside api.wise.com.
- Install Mechanism
- okNo install spec is provided (instruction-only skill) and the included script is self-contained Node.js. Nothing is downloaded from external/untrusted URLs and no archives are extracted. Risk from install mechanism is low.
- Credentials
- noteThe skill requires a single credential, WISE_API_TOKEN, which is appropriate for a Wise API client. Again, the only inconsistency is the registry header claiming no required env vars while .clawhub/config.toml and SKILL.md declare WISE_API_TOKEN as required and primary. No unrelated secrets or broad system credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system configuration. The agents/openai.yaml sets allow_implicit_invocation: false (UI policy to disable implicit invocation by default), so it is not granted forced/global presence. The normal platform behavior allowing autonomous invocation is not a special privilege of this skill and is not combined with other worrying indicators.