Back to skill
Skillv0.1.0
ClawScan security
Nearby Breakfast Spots · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 23, 2026, 5:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with its stated purpose (finding nearby breakfast spots); it is instruction-only, asks for no credentials, and does not install code, but the runtime instructions are somewhat vague about data sources and caching/privacy implementation details.
- Guidance
- This skill appears coherent and low-risk, but before installing confirm: (1) where the POI data will come from (which API/endpoints and any required credentials), (2) how and where any caching is stored and how long location data is kept, and (3) that the agent enforces the 'only query after user authorizes' rule and applies the described coordinate fuzzing. Because the skill is instruction-only, actual network calls and data handling depend on the agent/integration—ask the publisher or integrator for the concrete provider/endpoints and privacy/caching implementation before granting location access.
Review Dimensions
- Purpose & Capability
- okName/description (find nearby breakfast spots) match the content of SKILL.md. The skill requires no binaries, env vars, or installs and does not ask for unrelated permissions — proportionate to the stated purpose.
- Instruction Scope
- noteSKILL.md defines inputs, outputs, error codes, and privacy guidance (only query after user authorizes location, recommend fuzzing coordinates, caching behavior). However it does not specify which data provider(s), API endpoints, or query mechanism to use (or how to authenticate if needed). That vagueness means actual behavior depends on the agent implementation or external connectors; verify where POI data will be fetched and how caching/personal data handling is implemented.
- Install Mechanism
- okNo install spec and no code files are present. As an instruction-only skill it does not write files or download artifacts during installation.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The only sensitive input is user location, which the doc explicitly restricts to 'after user authorizes' and advises fuzzing.
- Persistence & Privilege
- okalways is false and there is no request to modify other skills or system-wide settings. The SKILL.md suggests short-term caching but does not require persistent system-wide privileges.