Back to skill
Skillv1.0.4
ClawScan security
Firestore · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 6:47 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's actions, required tools, and instructions are consistent with its stated purpose of managing Firestore via the REST API; it is instruction-only, requests only gcloud/curl usage, and requires explicit user approval before executing commands.
- Guidance
- This skill appears coherent and low-risk in structure, but it operates with whatever permissions the active gcloud account has. Before using it: (1) ensure the active identity is a dedicated, least-privilege service account and confirm the active project via `gcloud config list`; (2) always review the full curl command the skill presents and only approve actions you expect (read operations can still expose sensitive data); (3) avoid using personal or owner/admin credentials; (4) test in a non-production project first; and (5) revoke tokens and audit Cloud Audit Logs if anything unusual occurs.
Review Dimensions
- Purpose & Capability
- okName/description (Firestore via REST) align with required binaries (curl, gcloud) and the instructions. gcloud is required to obtain OAuth tokens — this is expected for the described functionality.
- Instruction Scope
- okSKILL.md instructs the agent to run only gcloud commands to display context and generate short-lived access tokens, then construct curl requests to the Firestore REST API and always present the full command for user approval before executing. It does not request unrelated files, credentials, or network endpoints.
- Install Mechanism
- okInstruction-only skill with no install script or downloaded code. The included manual install guidance points to the official Google Cloud SDK docs — appropriate and low risk.
- Credentials
- okNo environment variables or external credentials are declared; the skill relies on gcloud CLI token generation (short-lived tokens inheriting the active account's permissions). That is proportional to the purpose, and the docs explicitly recommend using a least-privilege service account.
- Persistence & Privilege
- okalways is false, user-invocable is true, and disable-model-invocation is true (the skill does not execute autonomously). The skill does not request persistent system changes or modify other skills. This is appropriate for its function.