Back to skill
Skillv1.2.0
ClawScan security
airq · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 10:45 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with its stated purpose (installing and using an airq CLI) with only minor deploy-time cautions (third‑party tap, downloaded binary, and optional PDF tooling).
- Guidance
- This skill appears to do what it claims (a CLI air‑quality tool). Before installing: 1) Inspect the Homebrew tap and GitHub release (fortunto2/airq) to ensure you trust the upstream author; 2) Be prepared to run sudo to move a binary to /usr/local/bin or install via cargo (which requires Rust); 3) If you need PDF reports, ensure headless Chrome or wkhtmltopdf is installed since the README mentions them but doesn't install them; 4) Note the tool will cache sensor CSVs and Overpass responses under ~/.cache/airq and write config to ~/.config/airq; review those files if sensitive. If you want stronger assurance, ask the publisher for a verified source (official homepage or repo) or inspect the release archive before running it.
Review Dimensions
- Purpose & Capability
- okThe SKILL.md describes a CLI for air quality queries and the instructions only reference installing/running that CLI and interacting with Open-Meteo, Sensor.Community, and Overpass (all relevant to air quality and source attribution). No unrelated credentials, services, or system subsystems are requested.
- Instruction Scope
- noteInstructions reference creating config (~/.config/airq/) and caching (~/.cache/airq/) which is appropriate for a CLI. They instruct network calls to Open-Meteo, Sensor.Community, and Overpass APIs (expected). They also mention generating PDFs via headless Chrome or wkhtmltopdf but do not declare these as required binaries—users should be aware additional tooling may be needed for PDF export.
- Install Mechanism
- noteNo install spec in the registry (instruction-only). Installation methods point to GitHub releases (curl + tar) and a Homebrew tap (fortunto2/tap) and cargo. GitHub releases is a common pattern; using a third‑party Homebrew tap (rather than the main repo) is higher risk than an official formula and merits verification of the source.
- Credentials
- okThe skill declares no required environment variables or credentials. The config and cache paths it uses are proportional to a CLI tool that stores preferences and downloaded sensor data. No unexpected secret access is requested.
- Persistence & Privilege
- noteThe skill does not request persistent agent privileges (always:false). Installation instructions include moving a binary to /usr/local/bin with sudo, which requires elevated privileges at install time—common for system-wide CLI install but worth noting before running commands.