Back to skill
Skillv1.0.0
ClawScan security
Tripadvisor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 10:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements, runtime instructions, and local storage behavior align with its stated Tripadvisor discovery and comparison purpose; nothing requested appears disproportionate or unrelated.
- Guidance
- This skill appears coherent and behaves as a local TripAdvisor helper, but confirm these before installing: (1) You trust TripAdvisor with search terms sent to their API or public pages. (2) Provide a dedicated TRIPADVISOR_API_KEY and verify its scope/limits; if it is compromised you should revoke it. (3) The skill will create and write files under ~/tripadvisor/ only after asking; review those files (memory.md, request-log.md, caches) and avoid storing sensitive personal data there. (4) The skill uses query-string key usage in examples — consider whether your API key should be sent in headers instead (if the API supports it) to reduce accidental leakage. (5) If you lack an API key the skill will fall back to UI mode which navigates public TripAdvisor pages (cookies and rate limits apply). Finally, ensure curl/jq/sed are available on your system and periodically inspect or delete the local ~/tripadvisor/ folder if you no longer use the skill.
Review Dimensions
- Purpose & Capability
- okName/description (Tripadvisor discovery/comparison) matches the actual requirements: curl/jq/sed for HTTP + JSON parsing, a single TRIPADVISOR_API_KEY primary credential for official API calls, and a local config path (~/tripadvisor/) for caches and shortlists. All requested resources are plausible and proportionate for the stated functionality.
- Instruction Scope
- okSKILL.md and supporting docs restrict actions to API requests and standard public web navigation, require user confirmation before creating local files, explicitly forbid scraping/bypass techniques, and limit local reads/writes to ~/tripadvisor/. The instructions do not ask the agent to read unrelated system files or other credentials.
- Install Mechanism
- okNo install spec (instruction-only) — lowest disk/remote-code risk. The skill relies on existing system binaries (curl/jq/sed) rather than downloading executables or running installers.
- Credentials
- okOnly one environment credential is required (TRIPADVISOR_API_KEY) and it is explicitly the primary credential. The skill documents redaction rules for logs and states it will not store secrets. The single API key is appropriate for the described API-first workflows.
- Persistence & Privilege
- okalways:false and default autonomous invocation are expected. Persistent data is limited to a clearly scoped ~/tripadvisor/ directory, and writes require user confirmation per setup.md. The skill does not claim or attempt to modify other skills or system-wide settings.