Back to skill
Skillv1.0.0
ClawScan security
Skill 4 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 4:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with a simple, zero-dependency website uptime and content-change monitor and do not request unrelated credentials, installs, or system access.
- Guidance
- This skill appears to do exactly what it says: make HTTP(S) requests, time them, hash responses, and optionally check for text. Before installing or running it, review the included main.py (already provided) if you will point it at sensitive internal URLs; the script will perform outbound requests to whatever URLs you supply. It does not exfiltrate data to other endpoints or read local secrets, but run it in a restricted environment if you have strict network/data policies. If you need authenticated checks, note the script does not handle credentials or cookies by default.
Review Dimensions
- Purpose & Capability
- okName/description (uptime, response time, hashing, text checks) match the included code and CLI options. The tool uses only the Python standard library and requires no external services or credentials, which is proportionate to its stated purpose.
- Instruction Scope
- okSKILL.md tells the agent to run the bundled Python script with URL arguments and flags. The runtime instructions and code only perform HTTP(S) requests to the target URLs, measure timing, compute hashes, and optionally check text — they do not read unrelated files, environment variables, or send data to third-party endpoints beyond the requested target URLs.
- Install Mechanism
- okNo install spec is provided and the skill is instruction-only with a single Python script that relies on the standard library. Nothing is downloaded or written to disk by an installer.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The code likewise does not access environment variables or secrets. This is proportionate to a basic website monitoring tool.
- Persistence & Privilege
- okThe skill does not request always:true and does not attempt to modify other skills or system settings. It can be invoked by the agent (disable-model-invocation is false), which is the platform default and appropriate for a user-invokable monitoring skill.