Aloudata CAN SKILLS - metric-attribution
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for metric attribution, but users should notice that it requires an Aloudata CAN API key and has minor metadata inconsistencies.
Before installing, confirm you trust Aloudata as the API provider, configure a least-privilege CAN_API_KEY, and be aware that business metric queries and results will go through gateway.can.aloudata.com. The skill has no code or install script in the provided artifacts, but the credential and version metadata should be cleaned up by the publisher.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured CAN_API_KEY to query metric and dimension data from the Aloudata Gateway; if the key is broad, responses may include sensitive business metrics.
The skill requires reading a local API key and using it for outbound requests to the Aloudata Gateway. This is expected for the integration, but it is still delegated account/API authority.
permissions: ... env:read ... network:outbound ... name: "CAN_API_KEY" ... required: true ... domain_whitelist: "gateway.can.aloudata.com"
Use a least-privilege CAN API key, store only the intended key in the environment, and prefer the documented X-API-Key header rather than putting API keys in URLs.
A user or installer relying only on registry metadata may not realize the skill needs a CAN_API_KEY until reading SKILL.md.
The registry metadata under-declares the credential requirement that SKILL.md later states as required, which can reduce pre-install visibility.
Required env vars: none ... Env var declarations: none ... Primary credential: none
Publisher should align registry capability and credential declarations with SKILL.md; users should review SKILL.md before configuring credentials.
Version mismatch can make it harder to verify exactly which package revision is being installed.
The package _meta.json version differs from the supplied registry/SKILL version 1.0.4, indicating a minor package metadata inconsistency.
"version": "1.0.1"
Verify the publisher and intended version before installation; publisher should synchronize _meta.json with registry metadata.