Skillv1.0.2

ClawScan security

Stormglass Surf & Ocean Data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 9:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (fetch surf data from Stormglass, optional geocoding), but there are small mismatches between declared requirements and the runtime instructions that you should review before installing.
Guidance: This skill appears coherent with its stated purpose: it runs a Python CLI that calls Stormglass (requires STORMGLASS_API_KEY) and, if you provide it, Google Geocoding (or it falls back to OpenStreetMap). Before installing/use: 1) Be aware the registry only lists STORMGLASS_API_KEY as required—SKILL.md and the code also accept an optional GOOGLE_GEOCODING_API_KEY (so ensure any automation/exposure of credentials includes that clarification). 2) Review the bundled scripts in your environment (they will make outbound HTTPS calls to Stormglass, Google Maps, and OSM). If you want to test safely, run the included tests with --mock to avoid using keys or network. 3) Limit and rotate the Stormglass and Google keys you provide, and consider running the CLI in an isolated environment or with restricted network access if you have concerns. 4) Confirm the full surf_report.py (the file is large) matches expectations and contains no unexpected remote endpoints or hidden behavior; if you want higher assurance, run the test runner and inspect logs in a sandbox first.

Review Dimensions

Purpose & Capability: okName/description match the included code and instructions: the CLI scripts fetch Stormglass weather/tide data and optionally geocode spot names. Requested binary (python3) and primary credential (STORMGLASS_API_KEY) are appropriate for this purpose.
Instruction Scope: noteSKILL.md and the scripts instruct the agent to run the local Python CLI which will perform network calls to Stormglass and (optionally) Google Geocoding or OpenStreetMap Nominatim. The instructions do not request reading unrelated files or broad system state. Note: SKILL.md refers to an optional GOOGLE_GEOCODING_API_KEY and OSM fallback; that optional credential is used by runtime code but is not listed in the registry's required env list (minor mismatch).
Install Mechanism: okNo install spec; this is instruction + bundled scripts only. That is the lowest-risk install pattern. All code is shipped in the bundle rather than downloaded at install time.
Credentials: concernPrimaryEnv STORMGLASS_API_KEY is appropriate. However, SKILL.md and the code reference an optional GOOGLE_GEOCODING_API_KEY for geocoding; the registry metadata did not declare this optional env var. This mismatch could confuse automated tooling that only exposes declared creds. No other unrelated secrets or config paths are requested.
Persistence & Privilege: okSkill does not request always:true and does not claim to modify other skills or system-wide configuration. It runs as a CLI tool (agent invokes the script) and can be used autonomously by agents (default), which is normal for skills.