Back to skill
Skillv3.0.2
ClawScan security
Api Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 1:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only local reference tool: its files and runtime instructions match the stated purpose and request no credentials or network access.
- Guidance
- This skill appears to be a simple, self-contained reference tool and is coherent with its description. Before installing or enabling: (1) review the included scripts (scripts/script.sh) yourself — it only prints local docs; (2) only enable/run skills from sources you trust; (3) if you are extra cautious, run the script in a sandbox or with limited permissions. The small version-number mismatches are harmless bookkeeping issues but you may want to confirm you have the desired release.
Review Dimensions
- Purpose & Capability
- noteName/description (API Router reference) align with what is included: a local reference SKILL.md and a shell script that prints documentation. No external credentials, binaries, or unrelated capabilities are requested. Minor bookkeeping inconsistency: SKILL.md header lists version 3.0.1, registry metadata is 3.0.2, and scripts/script.sh contains VERSION="3.0.0" — this is not a security issue but worth noting.
- Instruction Scope
- okSKILL.md explicitly states all commands output plain-text via heredoc and require no network access. The provided script only prints embedded documentation, does not read arbitrary system files, does not reference environment variables, and does not perform network calls or data exfiltration.
- Install Mechanism
- okNo install spec is provided (instruction-only); the shipped script is self-contained and will not download or install external components. No high-risk download/extract steps are present.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and the runtime script does not access environment variables or configuration paths. Requested privileges are proportionate to a local reference tool.
- Persistence & Privilege
- okalways is false, user-invocable is true, and disable-model-invocation is false (normal). The skill does not modify other skills or system-wide agent settings; it only provides a runnable script and documentation.