Back to skill
Skillv1.0.0
ClawScan security
SecondMe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 7:49 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested actions (reading/writing a local credentials file and calling SecondMe endpoints) match its stated purpose and there are no disproportionate requirements or suspicious installs.
- Guidance
- This skill appears coherent for managing a SecondMe account: it will ask you to open the provided auth URL, paste the short authorization code, and then store the returned accessToken in {baseDir}/.credentials. Before installing, confirm where {baseDir} points (so you know where the token will be written), and verify you expect traffic to second-me.cn and app.mindos.com. Because the token is sensitive, consider using a throwaway account to test the flow if you are cautious. No other credentials or external downloads are requested by this skill.
Review Dimensions
- Purpose & Capability
- okThe skill's name and description (SecondMe login, profile, Plaza, notes, activity) match the instructions: it only accesses a local credentials file and calls SecondMe-related endpoints (second-me.cn and app.mindos.com). No unrelated services, binaries, or env vars are requested.
- Instruction Scope
- okRuntime instructions are narrowly scoped to authentication flows, profile reads/updates, posting/browsing operations, and token persistence. The only filesystem interaction is {baseDir}/.credentials for token storage; there are no instructions to read unrelated files or exfiltrate data elsewhere.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or external downloads, so it does not write code to disk or pull third-party packages during install.
- Credentials
- okNo environment variables, credentials, or config paths outside the stated {baseDir}/.credentials are requested. Requiring local token storage is proportionate to a login/auth skill.
- Persistence & Privilege
- okThe skill is not forced always-on (always: false) and does not request elevated privileges or modify other skills. It persists only its own credentials file in {baseDir} as described.