Back to skill
Skillv1.2.0
ClawScan security
Reporead · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 2:38 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and helper scripts are consistent with a GitHub-repo analysis service that needs an API key and curl; nothing indicates hidden behavior, though there are a few minor implementation and privacy notes to consider.
- Guidance
- This skill appears to do what it says: it calls https://api.reporead.com and needs a RepoRead API key. Before installing, consider: 1) storing the API key in your shell profile or MCP config will persist it on disk in plaintext — only do this if you trust the host and want persistent access; 2) importing repositories sends repo content to a third-party service — avoid importing private/confidential repos unless you trust RepoRead and understand their data handling; 3) the included helper scripts attempt to sanitize inputs but input checks are simple and may reject some valid inputs or be imperfect — avoid passing untrusted, specially crafted IDs/URLs; 4) rotate the key if you suspect it was exposed and review RepoRead's privacy/security docs. If you need stronger guarantees, inspect the scripts yourself and prefer setting REPOREAD_API_KEY in a secure secrets store rather than embedding it in config files.
Review Dimensions
- Purpose & Capability
- okName/description (RepoRead repo analysis) match the declared requirements: REPOREAD_API_KEY and curl. The scripts and REST endpoints target api.reporead.com and implement the advertised import/analysis/token endpoints; requested resources are proportionate to the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to set REPOREAD_API_KEY, optionally add it to MCP config files, import repos, start analyses, poll status, and fetch results. The runtime scripts only call the RepoRead API and do not access unrelated system files. Note: the docs recommend placing the API key in shell profiles and MCP JSON configs (plain text), which may store the secret on disk and should be considered a privacy/operational concern.
- Install Mechanism
- okNo install spec; this is instruction-only with small helper scripts included. No downloads from third-party URLs and no archives extracted. Risk from the install mechanism is low.
- Credentials
- noteOnly REPOREAD_API_KEY is required and identified as primaryEnv — proportional to the functionality. However, the SKILL.md encourages storing the key in shell profiles and MCP config JSON (plaintext); users should be aware that doing so persists the secret on disk and may expose it to other processes/users.
- Persistence & Privilege
- okalways:false and the skill does not request elevated platform privileges or modification of other skills' configs. It does suggest configuring an MCP server entry with the API key, which is normal for integration but stores the key in config.