Skillv1.0.0

ClawScan security

Baserow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 4:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match a Baserow integration, but there are important inconsistencies and risky details (undeclared required credentials, a baked-in instance URL, and a literal example token in the docs) that warrant caution before installing.
Guidance: Do not install blindly. Ask the publisher to explain the registry/README mismatch (the registry says no env vars, the SKILL.md requires BASEROW_BASE_URL and BASEROW_TOKEN). Confirm whether the token string included in the SKILL.md is a real credential; if it is, rotate it immediately and do not use this skill until the token is revoked. Prefer creating a least-privilege API token scoped only to the tables/operations the agent needs. If you proceed, store the token securely (avoid long-lived plaintext if possible), verify the base URL is the intended host, and test with a disposable token first. If you lack confidence in the publisher, treat this skill as untrusted and do not give it access to production tokens.

Review Dimensions

Purpose & Capability: concernThe skill name/description (Baserow REST access) aligns with the runtime instructions which call a Baserow API. However the registry metadata claims no required environment variables while the SKILL.md clearly requires BASEROW_BASE_URL and BASEROW_TOKEN. The SKILL.md also hardcodes a default instance (https://baserow.ericbone.me) and maps specific table IDs for a Renpho CRM — that makes this skill specific to a single deployment rather than a general Baserow integration. These discrepancies are unexpected and should be clarified.
Instruction Scope: noteInstructions are explicit about how to read/write rows (python urllib for GET, curl for PATCH/POST) and reference the local secrets file ~/.openclaw/.env. Reading that file and sourcing it is required to operate, which is within scope for this integration. The SKILL.md also instructs agents to write/validate the .env (and to use shell export/grep/xargs), which grants the agent the ability to create or read a plaintext token file — reasonable for operation but sensitive and should be constrained and audited.
Install Mechanism: okThis is an instruction-only skill with no install steps or additional packages, and it relies only on python3 and standard shell tools. No downloads or archives are performed, so install-risk is low.
Credentials: concernThe SKILL.md requires BASEROW_TOKEN and BASEROW_BASE_URL (a personal API token and base URL), but the registry metadata did not list any required env vars or a primary credential. Worse, the README contains a literal token-like example value ('mOsuizlNhy...'), which could be an exposed credential. Requesting a Baserow token is reasonable for this purpose, but (a) the missing declaration in registry metadata is an inconsistency, and (b) the presence of a sample token in the skill doc is a high-risk disclosure that must be verified and rotated if real.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request system-wide configuration changes or persistent installation. However, because the skill requires a token, if the agent is allowed to invoke the skill autonomously it could act on that token — this is normal but worth noting as an operational risk if the token has broad privileges.