Back to skill
Skillv1.0.0
ClawScan security
Clarity Literature · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 9:41 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (searching Clarity Protocol literature); it only makes expected API calls to clarityprotocol.io and requests an optional CLARITY_API_KEY.
- Guidance
- This skill appears to do exactly what it says: call clarityprotocol.io to list and fetch paper details. Before installing, verify clarityprotocol.io is the legitimate service you expect, and only set CLARITY_API_KEY if you trust that site. Ensure the runtime has the Python 'requests' package available (the scripts rely on it but no installer is provided). Review the included scripts (they are small and readable) and, if you run them on shared systems, avoid embedding sensitive data in search queries since queries are sent to the external API.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the three Python scripts consistently implement searching and retrieving papers from clarityprotocol.io. The API_BASE endpoint matches the documented homepage. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okRuntime instructions tell the agent to run the provided scripts. The scripts only perform HTTP GETs to the Clarity Protocol API, print results, and handle common HTTP errors/rate limits. They do not read unrelated files, access other environment variables, or transmit data to endpoints other than clarityprotocol.io.
- Install Mechanism
- noteThis is instruction-only with bundled Python scripts (no install spec). The scripts use the Python requests library, but no dependency installation is declared—users must ensure requests is available in the runtime. No remote downloads or archive extraction occur.
- Credentials
- okOnly an optional CLARITY_API_KEY environment variable is mentioned for higher rate limits; the code reads that env var and uses it as an X-API-Key header. No other secrets or unrelated credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system-wide configuration. The skill does not request permanent privileges or write unexpected files.