Back to skill
Skillv0.1.0
ClawScan security
Pipe17 Openclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:32 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Pipe17 API helper that only needs a Pipe17 API key and its behavior matches that purpose, but the package metadata is incomplete/absent (no source/homepage) and there's a small mismatch between registry metadata and the SKILL.md which you should verify before installing.
- Guidance
- The skill appears to be a straightforward Pipe17 API helper and only needs a Pipe17 API key. Before installing: 1) Prefer to provide a least-privilege Pipe17 API key (do not reuse org-wide admin keys). 2) Verify the skill's origin/source (no homepage or source repo listed) — ideally obtain the SKILL.md from a known maintainer. 3) Confirm the registry metadata is updated to list PIPE17_API_KEY as required. 4) Monitor API activity for unexpected requests after enabling the skill. If you cannot verify the source, treat it as untrusted and avoid supplying high-privilege credentials.
Review Dimensions
- Purpose & Capability
- okThe SKILL.md describes a Pipe17 API integration (search/read orders, shipments, fulfillments, inventory). The runtime instructions and required credential (PIPE17_API_KEY) are exactly what such a skill needs. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okInstructions are limited to calling the Pipe17 REST API (curl examples) and advise exporting PIPE17_API_KEY. They do not instruct reading local files, other env vars, or sending data to third-party endpoints beyond api-v3.pipe17.com.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, so nothing is written to disk by an installer. This is the lowest-risk install model.
- Credentials
- noteThe SKILL.md requires a single PIPE17_API_KEY which is proportionate to the stated purpose. However, registry metadata included with the submission indicated 'Required env vars: none' while the SKILL.md declares PIPE17_API_KEY as required — this metadata mismatch should be resolved before trusting the package.
- Persistence & Privilege
- okThe skill is not forced-always (always: false) and uses default autonomous-invocation behavior. That is normal for a helper skill. It does not request elevated persistence or access to other skills' configs.