Back to skill
Skillv1.0.1
ClawScan security
EngageLab OTP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 6:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and runtime instructions are consistent with an OTP/verification API client and webhook verifier; nothing in the package demands unrelated credentials, unusual installs, or hidden behavior.
- Guidance
- This package appears to be a straightforward OTP API client + webhook verifier. Before installing or using it: 1) Verify the API base URL and that you trust the EngageLab service and the skill author. 2) Never paste production dev_key/dev_secret into an untrusted interface — provide credentials only to agents or systems you trust. 3) If you deploy verify_callback.py, protect the callback secret and restrict inbound traffic (use the documented IP whitelist if appropriate). 4) Ensure Python and the 'requests' library are available (the package doesn't declare dependencies). 5) Review the template and message-sending code if you plan to send messages to users (to avoid accidental spam or regulatory problems). 6) Rotate keys if you suspect exposure and limit API keys' permissions where possible.
Review Dimensions
- Purpose & Capability
- okName/description match the included materials: a REST client (otp_client.py), webhook verifier (verify_callback.py), and comprehensive API docs. All requested capabilities (send/verify/templates/callbacks/SMPP) are implemented or documented; there are no unrelated credential requests or surprising binaries.
- Instruction Scope
- okSKILL.md instructs how to authenticate (dev_key/dev_secret), which endpoints to call, and how to validate callbacks. The instructions do not direct the agent to read unrelated files, harvest environment variables, or send data to unexpected endpoints. Webhook verification code and callback docs are scoped to securing incoming callbacks.
- Install Mechanism
- noteThis is an instruction-only skill with Python helper scripts; there is no install spec. The client uses the 'requests' package but no dependency list is declared — the user/agent must ensure Python and requests are available. No network downloads or external installers are embedded.
- Credentials
- okThe skill does not declare required environment variables or primary credentials. It legitimately needs the user's dev_key/dev_secret to call the API; SKILL.md instructs the agent to ask the user if credentials are missing. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged system presence or modify other skills. Autonomous invocation is allowed by default but there are no additional high-risk privileges granted.