Back to skill
Skillv1.0.1
ClawScan security
Beaver Habit Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 7:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a habit-tracking API client — it only needs curl and a Beaver Habits API key (and optional server URL) and contains no surprising privileges or installs.
- Guidance
- This skill appears coherent and low-risk, but before installing: only provide a Beaver Habits API token you trust (prefer a token with minimal scope if the service supports it); verify the SERVER_URL if you point the skill at a self-hosted instance (don't set it to an unknown host you don't control); review the referenced GitHub project (metadata shows https://github.com/daya0576/beaverhabits) to confirm the implementation if you want extra assurance; and be prepared to revoke the API token if you see unexpected activity. Note minor inconsistencies in the metadata: SKILL.md lists version 1.0.0 while the registry has 1.0.1 and the registry homepage was empty even though SKILL.md includes a GitHub link — these are administrative issues, not security blockers, but you may want to confirm the source repository before trusting the skill.
Review Dimensions
- Purpose & Capability
- okName/description (Beaver Habit Tracker) match the declared env vars (BEAVERHABITS_API_KEY, optional SERVER_URL) and required binary (curl). All requested resources are reasonable for an API client that lists and completes habits.
- Instruction Scope
- okSKILL.md instructs only to call the Beaver Habits API endpoints with an Authorization header and to render ASCII tables. It does not ask to read unrelated files, access other environment variables, or transmit data to third-party endpoints outside the described server. The guidance to resolve habit IDs by listing habits is implementation-level but appropriate.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files. No downloads or archive extractions are specified, which minimizes on-disk risk.
- Credentials
- okOnly one required secret (BEAVERHABITS_API_KEY) plus an optional SERVER_URL are requested; both are proportionate to the stated purpose. No unrelated credentials or excessive env variables are requested.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide changes or persistent presence. Autonomous invocation is allowed but is the platform default and not excessive here.