Back to skill
Skillv1.1.2
ClawScan security
MasterSwarm AI Document Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 9:49 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (an API connector that needs a MasterSwarm API key and sends document text to an external endpoint), but it relies on an external service and makes unverifiable privacy/operational claims that users should review before sending sensitive data.
- Guidance
- This skill behaves like a straightforward API connector and only needs a single API key, but it sends your text/documents to an external service. Before installing: (1) verify the operator and domain mapping (masterswarm.net vs api.neurodoc.app) and confirm the privacy policy and retention promises; (2) avoid sending highly sensitive data (full IDs, passwords, private keys) until you trust the service; (3) test with non-sensitive samples; (4) store the API key securely and be prepared to revoke it if you detect misuse; (5) check billing/credit semantics so you understand cost per call and rate limits. The skill is coherent, but because it transmits data off-device, treat it as exposing that data to a third party and proceed accordingly.
Review Dimensions
- Purpose & Capability
- okName/description, declared env var (MASTERSWARM_API_KEY), and the SKILL.md all describe an API connector to a cloud service. The required credential is proportional to the stated functionality (calling an external analysis API).
- Instruction Scope
- noteRuntime instructions are limited to constructing and sending POST requests to https://api.neurodoc.app/aetherlang/execute with the API key and user-provided text; they do not instruct reading local files or other environment variables. However, the skill explicitly encourages uploading sensitive documents (receipts, lab results, contracts) to a third-party endpoint and makes privacy/retention claims that cannot be verified from the skill itself. Also note the API host (api.neurodoc.app) differs from the public site (masterswarm.net) though the SKILL.md asserts they are the same operator.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. This is the lowest-risk install model.
- Credentials
- okOnly one environment variable is declared (MASTERSWARM_API_KEY) which is appropriate for an API connector. No unrelated secrets, system paths, or other credentials are requested.
- Persistence & Privilege
- okSkill is not marked always:true, does not request persistent local modifications, and does not claim to modify other skills or global agent settings.