Skillv2.0.0

ClawScan security

Train Robotic AI Models using Qualia · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 2:34 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill’s requested resources, runtime instructions, and included scripts are coherent with its stated purpose (fine‑tuning robotics models via the Qualia API) and do not request unrelated credentials or perform unexplained actions.
Guidance: This skill appears internally consistent and implements a CLI for the Qualia service. Before installing: (1) Confirm you trust https://qualiastudios.dev and the api.qualiastudios.dev endpoint; (2) Only provide a Qualia API key with the minimum necessary scope/credits and be aware training costs (scripts call instances and estimate credits/hr); (3) If you use private datasets, note the skill will reference HuggingFace dataset IDs and send them to the Qualia API—ensure that aligns with your data privacy needs; (4) The skill runs bundled shell/Python scripts that will perform network requests — run them in a controlled environment or inspect them locally if you have concerns; (5) Revoke or rotate the API key if you stop using the skill. Overall this looks coherent for its stated purpose.

Purpose & Capability: okName/description, SKILL.md, README, and the two CLI scripts all focus on interacting with api.qualiastudios.dev to list models, inspect datasets, create projects, and launch/monitor finetune jobs; the only required environment variable is QUALIA_API_KEY which directly matches the described API access.
Instruction Scope: okRuntime instructions and the scripts only reference HuggingFace dataset IDs, model/instance selection, camera mapping, and calls to the Qualia API. They do not instruct reading unrelated local files, other environment variables, or sending data to unexpected external endpoints.
Install Mechanism: okNo install spec is present (instruction-only with included scripts). The bundled bash and python scripts are self‑contained and make HTTPS requests to the documented API host; there are no downloads from third‑party URLs or archive extraction steps.
Credentials: okOnly one env var is required (QUALIA_API_KEY). That is proportionate to the task; no broad or unrelated credentials/config paths are requested. The code accesses no other environment variables.
Persistence & Privilege: okThe skill is not force‑included (always: false) and does not modify other skills or system configuration. It relies on user-supplied API credentials and user invocation, so its system presence and privileges are minimal and expected.