Back to skill
Skillv1.0.2
ClawScan security
sudu-gold · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 1:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it needs a Tavily API key and node, calls only api.tavily.com, and its code and instructions match the described gold‑price/analysis purpose.
- Guidance
- This skill will send your TAVILY_API_KEY and the search queries to api.tavily.com — make sure you trust Tavily and that the API key has only the permissions you intend. The script only requires node and the single API key; it does not access other files or credentials. If you have concerns about privacy or key leakage, create a limited-scope API key or rotate the key after testing. Note that invoking the skill without args triggers automatic analysis (it will make network requests), which is expected behavior.
Review Dimensions
- Purpose & Capability
- okName/description promise (gold prices and analysis) aligns with the shipped script and SKILL.md. The only required credential is TAVILY_API_KEY which is exactly what the script uses to call the Tavily search API.
- Instruction Scope
- okSKILL.md instructs running the included node script. The script only reads TAVILY_API_KEY, constructs search queries, and POSTs to https://api.tavily.com/search. It does not read unrelated files, other env vars, or contact unexpected endpoints.
- Install Mechanism
- okNo install spec (instruction-only + a small script). No downloads or archive extraction. Requiring node is reasonable for a .mjs script.
- Credentials
- okOnly a single API key (TAVILY_API_KEY) is required and is used by the script. There are no additional unrelated credentials or config paths requested.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system-wide settings. Autonomous invocation is enabled (platform default) but not excessive here.