Back to skill
Skillv1.0.2
ClawScan security
Strawpoll Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 6:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with being a StrawPoll CLI helper: it requires the strawpoll binary and an API key and its instructions and install methods align with that purpose.
- Guidance
- This skill appears to be what it claims: a CLI wrapper for the StrawPoll API. Before installing, verify you trust the Homebrew tap (dedene/tap) and the GitHub repo (github.com/dedene/strawpoll-cli) since brew/go will fetch code from those sources. Provide only the StrawPoll API key (STRAWPOLL_API_KEY); when possible store it in a system keyring rather than embedding it in persistent environment variables. If you need stronger assurance, inspect the upstream repository code or install in an isolated environment (container/VM) before granting it long-lived credentials.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the requested binaries and primary credential (strawpoll binary + STRAWPOLL_API_KEY). Minor inconsistency: top-level metadata lists "Required env vars: none" while the skill declares STRAWPOLL_API_KEY as the primary credential in SKILL.md/metadata — this is likely a metadata oversight but not a functional mismatch.
- Instruction Scope
- okThe SKILL.md only instructs use of the strawpoll CLI and references expected local config/keyring paths (~/.config/strawpoll, keyring). It does not tell the agent to read unrelated files or to send data to endpoints other than the StrawPoll service or to arbitrary hosts.
- Install Mechanism
- noteInstall uses a Homebrew tap (dedene/tap) and a Go package (github.com/dedene/strawpoll-cli). Both are common for distributing CLIs; the custom tap means you should trust the tap owner/repo before installing via brew, but there are no opaque download URLs or extract-from-random-host steps.
- Credentials
- okThe only required credential is the StrawPoll API key (STRAWPOLL_API_KEY), which is proportionate to the described functionality. The reference mentions optional keyring-related env vars (STRAWPOLL_KEYRING_BACKEND, STRAWPOLL_KEYRING_PASSWORD) for key storage — these are reasonable optional settings, not required secrets collected by the skill.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or system-wide privileges. It stores config under its own config path and mentions keyring usage; it does not claim to modify other skills or global agent settings.