Back to skill
Skillv1.0.0
ClawScan security
Proof · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 7:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required resources, and behavior are consistent with a web-based Proof editor integration and do not request unrelated credentials or install anything.
- Guidance
- This skill appears to be a straightforward integration with proofeditor.ai and does not ask for unrelated credentials or installs. Two practical things to consider before enabling: (1) the agent will by default join a shared Proof URL immediately and present itself (X-Agent-Id/by fields) — if you prefer to confirm with the user before joining or sharing presence, disable automatic use or ask the agent to prompt first; (2) the skill tells the agent to save returned access tokens/URLs but doesn't specify where or for how long; ensure you understand how your agent stores such tokens if you have policies about persisting third-party share tokens.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md exclusively describes HTTP interactions with https://www.proofeditor.ai, joining docs, reading state, creating docs, and applying edits — all appropriate for a Proof integration.
- Instruction Scope
- noteInstructions stay within the stated purpose (use Proof API endpoints, manage presence, apply edits). One behavior to note: the skill instructs the agent to 'join the doc immediately' when a Proof URL is shared and to 'save' returned tokens/URLs; this is consistent with the integration but may surprise users who expect explicit confirmation before joining or persisting share tokens.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded during install.
- Credentials
- okNo required environment variables, binaries, or unrelated credentials are requested. The skill expects sharing tokens embedded in Proof URLs (Authorization header, x-share-token or ?token), which is proportional to its function.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. It does instruct agents to save slug/accessToken/shareUrl/tokenUrl/_links after creating a doc; the destination and lifetime of that saved data are not specified in the SKILL.md, but saving those values is a normal part of managing shared doc sessions.