Back to skill
Skillv1.0.0
ClawScan security
Basic Integration Guide · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 11:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only integration guide that is internally consistent with its stated purpose and does not request credentials or install code, though some example defaults (plaintext gRPC, SNAPSHOT deps) warrant caution before production use.
- Guidance
- This skill is a documentation-only integration guide and appears coherent with its stated purpose. Before using it in production: 1) do not use the example negotiationType: plaintext — enable TLS/mTLS for gRPC and ensure Authorization metadata is sent only over encrypted channels; 2) verify Maven coordinates and avoid pulling SNAPSHOT artifacts from untrusted repositories; 3) update host/address placeholders (dns:///basic-service:9090) to your environment and restrict network access appropriately; 4) treat bearer tokens/OIDC credentials securely (store secrets in a vault, avoid committing them); 5) test the integration in an isolated environment first. Because the skill contains no installers or requests for secrets, the immediate risk is low, but configuration examples include insecure defaults you should correct.
Review Dimensions
- Purpose & Capability
- okThe name/description (basic foundation service integration: i18n, project, tenant, dict, storage, auth) matches the SKILL.md content: Maven dependencies, gRPC/REST API usage, protobuf messages, headers/metadata for tenant and auth. The required resources (none) are proportionate to a documentation/integration guide.
- Instruction Scope
- noteThe SKILL.md stays within integration scope (how to add deps, configure gRPC, pass headers/metadata, protobuf definitions and call examples). It does not instruct the agent to read local files, system state, or send data to unrelated endpoints. Note: example gRPC config uses negotiationType: plaintext and address 'dns:///basic-service:9090' which are insecure/infrastructure-specific defaults and should not be used in production.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). This minimizes on-disk execution risk; nothing is downloaded or installed by the skill itself.
- Credentials
- noteThe skill does not declare or request environment variables or credentials. It documents passing Authorization, X-TENANT, and X-UID in headers/metadata — which is appropriate for an integration guide. Be aware examples assume bearer tokens and plaintext gRPC; ensure tokens are provided securely and transport is encrypted in real deployments. Also the Maven deps use 1.0.0-SNAPSHOT which may indicate an unstable or internal artifact source.
- Persistence & Privilege
- okalways:false and default model invocation settings are used. The skill does not request persistent installation or attempt to modify agent/system settings. No elevated persistence privileges are evident.