Back to skill
Skillv1.0.0
ClawScan security
Clarity Variant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 9:41 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are internally consistent with its stated purpose (retrieving variant data from clarityprotocol.io); there are only minor metadata omissions to be aware of.
- Guidance
- This skill appears to do what it claims: call clarityprotocol.io and print variant details, findings, and annotations. Before installing: 1) Confirm you trust https://clarityprotocol.io and only provide CLARITY_API_KEY if you intend to associate requests with your account (the key is sent in the X-API-Key header). 2) Ensure your environment has Python and the 'requests' library. 3) Note the small metadata mismatches (registry version vs SKILL.md version, and CLARITY_API_KEY listed only in SKILL.md) — ask the publisher to correct metadata if you need strict provenance. If you don't want network access or to share an API key, do not install/use this skill.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the actual behavior: all scripts call the clarityprotocol.io API to fetch variants, findings, and annotations. One minor metadata inconsistency: the SKILL.md lists metadata/version 2.0.0 while the registry shows version 1.0.0. This is likely an authoring/versioning mismatch but does not affect functionality.
- Instruction Scope
- okSKILL.md and the scripts instruct only network calls to the declared API endpoints and local stdout printing. The runtime instructions and example CLI commands directly map to the provided scripts; no unexpected file reads, writes, or unrelated system access are present.
- Install Mechanism
- okThere is no install spec (instruction-only). The code is pure Python and performs HTTPS requests. No downloads from untrusted URLs or archive extraction are present. Note: the scripts depend on the 'requests' library but the skill does not declare an installer — the environment must provide Python and requests.
- Credentials
- noteBehavior uses a single optional environment variable CLARITY_API_KEY for higher rate limits; this is appropriate for the API usage. However, the registry metadata lists 'Required env vars: none' and does not declare CLARITY_API_KEY as an optional variable — the SKILL.md and code do reference it. The requested credential scope is proportional (API key only) and no unrelated secrets are accessed.
- Persistence & Privilege
- okThe skill does not request permanent/always inclusion (always: false) and does not modify other skills or system settings. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal and expected for skills.