Back to skill
Skillv0.2.3
ClawScan security
sensorpro.app · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 12:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (managing a Sensorpro account); nothing requested or instructed appears unrelated or excessive.
- Guidance
- This skill appears to be what it claims: it will make REST calls to your Sensorpro instance and therefore needs an API key plus an API user/password. Before installing: 1) Only provide these secrets via environment variables or your platform's secret store (do not paste them into public code or SKILL.md). 2) Create a least-privilege API user in Sensorpro and enable IP allowlisting if possible. 3) Understand that, if you permit autonomous skill invocation for agents, the agent could call the Sensorpro API using these credentials—limit agent permissions if you want tighter control. 4) Rotate keys if they are exposed and audit API user activity in Sensorpro. Overall this skill is internally consistent; proceed if you trust the skill source and follow the secret-handling advice above.
Review Dimensions
- Purpose & Capability
- okName/description, required env vars (API key, org, API user, password), and required binaries (curl, python3) align with the Sensorpro REST API usage shown in SKILL.md. The dual use of an x-apikey header plus API-user credentials is consistent with the documented API flows.
- Instruction Scope
- okSKILL.md contains concrete curl examples that only call Sensorpro endpoints, shows signin/token usage and logoff, and explicitly warns about secret handling. It does not instruct reading unrelated files, probing other system state, or sending data to third-party endpoints.
- Install Mechanism
- okNo install spec or remote downloads — this is an instruction-only skill. It assumes curl and python3 are present, which is reasonable given the examples.
- Credentials
- okThe four required env vars (SENSORPRO_API_KEY, SENSORPRO_ORG, SENSORPRO_USER, SENSORPRO_PASS) are justified by the API signin and header requirements; nothing unrelated (cloud provider keys, tokens for other services, etc.) is requested.
- Persistence & Privilege
- okalways is false and the skill requests no system-wide config paths or other skills' credentials. The normal platform default allowing autonomous invocation is unchanged; that is expected for a usable integration.