Skillv1.0.1

ClawScan security

datapilot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 9:43 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do what it says (a DataPilot CLI) but its implementation logs the raw API credential to a local logfile and writes persistent logs without disclosing that in the SKILL.md, creating a credential-leakage/privacy risk.
Guidance: This skill is coherent with its stated purpose (a Node CLI for DataPilot) but the bundled script writes persistent logs and explicitly logs the DATAPILOT_API_KEY value into dataagent_cli.log. Before installing or running: 1) Do not supply a high-privilege/long-lived API key — create a least-privilege key you can rotate. 2) Inspect or modify dataagent_openapi_cli.mjs to remove or sanitize keyenv logging (replace raw key with sanitized value or remove the field). 3) Run the script in an isolated environment (ephemeral container or sandbox) if you must test it, and ensure the logfile is not included in backups or synced locations. 4) Consider deleting or securing dataagent_cli.log after use and rotating the API key if it was exposed. If the author can clarify why the raw API key is logged and remove that behavior, the risk would be substantially reduced.

Review Dimensions

Purpose & Capability: okName/description, required binary (node), and required env vars (DATAPILOT_API_URL, DATAPILOT_API_KEY) align with the included CLI script that calls a DataPilot OpenAPI (create-instance, ask, list-agents, knowledge management). Requested resources (API URL + key, ability to read user-provided datasource files) are proportional to the stated purpose.
Instruction Scope: concernSKILL.md instructs running the included node script and supplying datasource files; the runtime code reads user-supplied files (datasource JSON, sqlite .db) which is expected. However, the SKILL.md does not mention that the CLI will write a persistent log file in the skill directory or that it logs authentication material. The code calls writeLog() frequently and in getAuthHeaders() it passes keyenv: process.env.DATAPILOT_API_KEY (the raw API key) to the logger, which is a mismatch with the documentation and a potential secret-exposure vector.
Install Mechanism: okThere is no install spec (instruction-only + included node script). That is low-risk in terms of external code downloads. The included JS file will be executed with node; no external archive downloads or third-party package installs are present in the bundle.
Credentials: concernRequiring DATAPILOT_API_URL and DATAPILOT_API_KEY is appropriate for an API client. However, the code logs environment and argument data to a local log file and — crucially — writes the raw DATAPILOT_API_KEY into logs (getAuthHeaders calls writeLog with keyenv: process.env.DATAPILOT_API_KEY). Even partial exposure or local logging of secrets is disproportionate and increases risk if the logfile is accessible, synced, or exfiltrated.
Persistence & Privilege: notealways:false and the skill does not request system-wide privileges or modify other skills. It does create/append a local logfile (dataagent_cli.log) in the script directory, which is persistent on disk; this persistent logging combined with credential logging is the main concern but does not indicate elevated platform privileges.