Skillv0.1.1

ClawScan security

Moss Platform Quick Auth · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 3:11 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, inputs, and outputs are consistent with a simple 'quick auth' helper for the Moss platform and do not request unrelated privileges or credentials.
Guidance: This skill appears coherent for performing 'quick' API login/register flows against a Moss-studio host. Before installing or using it, ensure the host you supply is legitimate and reachable over TLS (you will be sending an email address and receiving tokens). Because the returned fields include access_token, refresh_token, api_key and a one-time temp_password, treat outputs as sensitive: keep the default masked display, only reveal full tokens when you explicitly request it, and store the temp_password immediately if needed. Note the skill will make network requests to any host you provide — do not point it to untrusted or unknown domains. The skill source is 'unknown' and there are no code files included; if you need stronger assurance, ask the publisher for provenance or a hosted repository before trusting it with real credentials.

Purpose & Capability: okThe name/description (quick API login/register) matches the SKILL.md: it only needs a host and email and calls two specific endpoints (api-login, api-register). No unrelated binaries, env vars, or config paths are requested.
Instruction Scope: noteInstructions are narrowly scoped to POSTing JSON to the provided host's /studio-api/v1/auth/quick endpoints and handling three error codes. They do handle and return sensitive fields (access_token, refresh_token, api_key, temp_password). The doc explicitly recommends default desensitization and immediate saving of temp_password; otherwise the runtime steps do not reference unrelated files, env vars, or external endpoints.
Install Mechanism: okNo install spec or code files — instruction-only skill. No downloads or execution of third-party code are specified.
Credentials: okRequires only 'host' and 'email' as inputs. No environment variables, system credentials, or config paths are requested. The sensitive tokens returned are a property of the remote API and are reasonably within scope for an auth helper.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request elevated or persistent platform privileges. Autonomous invocation is allowed by default on the platform but not specifically escalated by this skill.