Back to skill
Skillv1.0.0
ClawScan security
CardPointers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 8:11 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a thin wrapper around the CardPointers CLI and its requirements and instructions are consistent with that purpose; nothing indicates it is trying to access unrelated secrets or subsystems.
- Guidance
- This skill is a straightforward integration with the CardPointers CLI. Before installing: (1) verify you trust the cardpointers Homebrew tap (review the formula/tap contents) because third‑party taps can run install scripts; (2) expect the CLI to create and read a JWT token at ~/.cardpointers/config when you run 'cardpointers login' — that token grants the CLI access to your CardPointers account, so treat that file as sensitive; (3) no extra credentials are required by the skill itself, but the login flow may use email/password or browser-based SSO (Apple/Google/passkey); (4) if you prefer extra isolation, run the CLI in a sandboxed environment or inspect the tap before installing. If you need me to fetch the brew formula URL or show exact install steps to inspect, I can do that first.
Review Dimensions
- Purpose & Capability
- noteName/description match the runtime instructions: the skill just runs the CardPointers CLI to query cards/offers. Declared required binaries (cardpointers, jq) are appropriate. Minor inconsistency: SKILL.md also lists 'curl' and 'bash' as required but the registry metadata only declared cardpointers and jq; this is a small documentation mismatch, not a material capability gap.
- Instruction Scope
- okSKILL.md directs the agent to run the cardpointers CLI and related subcommands and to use ~/.cardpointers/config (a JWT token file created on login). All referenced files, variables, and commands are directly relevant to querying the CardPointers service; there are no instructions to read unrelated system files or exfiltrate data elsewhere.
- Install Mechanism
- noteInstall spec uses Homebrew formulas: cardpointers/tap/cardpointers and jq. jq is a standard formula; cardpointers is provided via a third‑party tap (cardpointers/tap). Installing from a non-official tap is common for CLI tools but carries moderate risk because taps can include install-time scripts—verify the tap/formula before installing.
- Credentials
- okThe skill does not require any credentials or sensitive environment variables. SKILL.md documents optional env vars (CARDPOINTERS_API, CARDPOINTERS_DEBUG, NO_COLOR) that are reasonable for a CLI client; no unexplained SECRET/TOKEN/PASSWORD env vars are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform-wide privileges. It stores/reads its own token at ~/.cardpointers/config (normal for a CLI) and does not attempt to change other skills or global agent settings.