Back to skill
Skillv1.0.0
ClawScan security
Flatastic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 10:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it’s an instruction-only wrapper for an existing flatastic CLI and only requires that the user have the flatastic binary and its local config/token; nothing requested or described is disproportionate to its stated purpose.
- Guidance
- This skill simply instructs the agent to call an existing 'flatastic' CLI; before installing, confirm you trust the source of that CLI (the SKILL.md suggests building/linking via npm). Be aware commands can change live data and send notifications (posting shouts, sending reminders, adding expenses). Protect the local config file (~/.config/flatastic/config.json) because it contains an auth token. If you do not want the agent to perform destructive or noisy actions autonomously, restrict when it can invoke the skill or review commands before execution.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md documents calls to a 'flatastic' CLI to manage chores, shopping, expenses and WG info. The only declared requirement is the 'flatastic' binary, which is appropriate for this purpose. The README-style install steps (npm install, npm link) explain how to obtain that binary but are not required by the platform.
- Instruction Scope
- noteInstructions tell the agent to run live CLI commands that query and modify remote Flatastic state (list chores, mark done, post shouts, add expenses, send reminders). This is expected, but important: many commands mutate remote data and can trigger notifications to other users. The SKILL.md references the config file location (~/.config/flatastic/config.json) where a token and user/WG info are stored — the skill does not request extra system files, but the agent will rely on that token when calling the service.
- Install Mechanism
- okNo install spec is included (instruction-only), which is the lowest-risk install pattern. The SKILL.md contains manual npm-based steps to build/link the CLI for users, but the platform itself does not download or execute arbitrary archives. No external or untrusted URL downloads are specified.
- Credentials
- noteThe skill does not require environment variables or unrelated credentials — appropriate for its scope. It does rely on a locally stored token in ~/.config/flatastic/config.json; access to that file is proportional to the skill's purpose but contains authentication material, so it should be protected. No unrelated secrets or broad system config paths are requested.
- Persistence & Privilege
- okThe skill is not configured with always:true and is user-invocable; autonomous invocation is allowed by default but not exceptional here. The skill does not request elevated system privileges or modify other skills' configurations.