Back to skill
Skillv1.0.7
ClawScan security
sudo-gold · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential are consistent with a data-fetching gold-market analysis tool that calls the Tavily API; nothing in the files suggests unrelated access or covert behavior.
- Guidance
- This skill appears to do exactly what it claims: call the Tavily API to fetch gold market data and produce a report. Before installing, verify you trust the Tavily service (api.tavily.com), ensure the TAVILY_API_KEY you provide has limited scope and can be rotated, and be aware that running the script will transmit that API key and the fixed query payloads to Tavily. Run it in an environment with Node present and with network egress allowed. If you need stronger guarantees, review Tavily's privacy/terms and consider provisioning a test API key with limited permissions or quota first.
Review Dimensions
- Purpose & Capability
- okName/description promise (gold prices, technical/fundamental analysis) matches the shipped script and SKILL.md. The skill requires node and a TAVILY_API_KEY and the script calls api.tavily.com to retrieve market/news/technical data — this is appropriate and proportionate.
- Instruction Scope
- okSKILL.md instructs running the included Node script with a limited set of flags (--type or --analyze). The script only reads TAVILY_API_KEY from the environment and makes POST requests to https://api.tavily.com/search; it does not read unrelated files, scan system state, or send data to other endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only with an included script). That is low risk; the only runtime requirement is the node binary which is declared. No external archives or obscure download URLs are used.
- Credentials
- okOnly one environment variable (TAVILY_API_KEY) is required and it is actually used by the script to authenticate requests to the Tavily API. The credential request aligns with the stated purpose. Note: the API key is sent in the POST body to api.tavily.com (expected for this integration).
- Persistence & Privilege
- okThe skill does not request persistent platform privileges (always is false), does not modify other skills or system configs, and relies on an explicit user invocation pattern — no elevated persistence observed.