Back to skill
Skillv1.0.9
ClawScan security
Trending Skill Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 7:10 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and runtime requirements match its stated purpose: it queries the ClawHub API, stores state locally, and prints surge alerts — nothing requested appears disproportionate or unrelated.
- Guidance
- This skill appears coherent and limited to monitoring ClawHub. Before installing: ensure you trust network requests to https://clawhub.ai, confirm Node.js 18+ is available, and note it will create and update files under ~/.skill-surge-notifier by default (you can override paths with SURGE_DIR/STATE_PATH/CONFIG_PATH). If you want stricter control, run the commands manually or schedule them yourself rather than letting an agent invoke the skill autonomously.
Review Dimensions
- Purpose & Capability
- okName/description (monitoring ClawHub metrics and alerting on surges) align with the code and runtime requirements. The only network calls are to https://clawhub.ai/api/v1/skills, which matches the stated purpose. Required binary is node, which is expected.
- Instruction Scope
- okSKILL.md instructions are constrained and explicit: run CLI commands, store state at ~/.skill-surge-notifier (or override via env), and optionally schedule via cron. The instructions do not ask the agent to read unrelated files, export secrets, or post results to third-party endpoints beyond ClawHub. Output is printed to stdout for the agent to capture.
- Install Mechanism
- okNo install spec; the bundle contains JavaScript files and is intended to run directly under Node. No downloads from arbitrary URLs, no package manager installs — low-risk delivery.
- Credentials
- okNo required credentials or secrets. Optional env vars (SURGE_DIR, STATE_PATH, CONFIG_PATH, SCHEDULED) only control file paths and a scheduling flag — reasonable and proportionate for a local monitor.
- Persistence & Privilege
- okalways is false; the skill stores its own state/config under the user home directory (default ~/.skill-surge-notifier) and does not alter other skills or system-wide settings. Autonomous invocation by the agent is allowed by default but is not excessive given the skill's purpose.