Skillv1.0.0

ClawScan security

API Health Check · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 4, 2026, 3:18 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (lightweight API health checks) but contains an unnecessary and risky TLS-certificate bypass and a small mismatch between documentation and code, which makes it suspicious rather than clearly benign.
Guidance: This skill appears to do what it says—query public AI API endpoints and report status—but it disables SSL certificate verification in the Python script, which is unsafe: an attacker on your network could spoof API responses and cause misleading results or leak information. Recommended steps before installing or running: (1) Inspect or run the script in a network-isolated environment; (2) remove the lines that set ctx.check_hostname = False and ctx.verify_mode = ssl.CERT_NONE so the default certificate validation is used; (3) consider changing the request to a GET when HEAD is unsupported, or add fallback logic, and add retries/backoff; (4) prefer using a well-maintained HTTP library (requests) with verify=True and clearer error handling; (5) if you can't review or modify the code, run it only on trusted networks or avoid using it. Given the TLS bypass, treat this as suspicious until that issue is fixed.
Findings: [insecure-ssl-disable] unexpected: The script explicitly disables TLS certificate verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE). Disabling certificate validation is unnecessary for a health-check utility contacting public APIs and exposes the tool to man-in-the-middle (MITM) attacks. This is not expected for a benign health-check and is the primary security concern.

Review Dimensions

Purpose & Capability: okName/description align with the included script and behavior: it contacts known AI API endpoints and reports HTTP status and latency. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md limits runtime behavior to issuing HTTP HEAD/GET checks and summarizing results. The script itself performs only network requests and prints output (no file reads/writes, no env var access). However, SKILL.md mentions HEAD/GET while the script uses only HEAD; some endpoints may not respond correctly to HEAD. The script also disables TLS verification (see below), which is outside the stated 'lightweight' health-check necessity.
Install Mechanism: okInstruction-only with a small Python script, no install spec and no external downloads — low install risk.
Credentials: okThe skill requests no environment variables or credentials. Its network access to the listed API hostnames is proportionate to its stated purpose.
Persistence & Privilege: okNo elevated persistence requested (always:false). The skill does not modify agent/system configuration or require permanent presence.