Back to skill
Skillv0.1.0
ClawScan security
Journey Planning with Waypoints · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 8:54 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (CAMINO_API_KEY) are consistent with a multi-waypoint journey planning integration that calls api.getcamino.ai; nothing in the package suggests unexplained access or data exfiltration.
- Guidance
- This skill appears to do what it says: it validates input and forwards it to Camino's journey endpoint, using only CAMINO_API_KEY. Before installing, confirm you trust the Camino service and the GitHub repo if you follow the npx install instructions. Use a dedicated API key (or the temporary trial key) rather than reusing high-privilege credentials, ensure jq and curl are installed, and be aware the README suggests storing the key in ~/.claude/settings.json (agent config) for convenience — store keys where you are comfortable and rotate them if needed.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the skill validates JSON input and POSTs it to https://api.getcamino.ai/journey using a single API key (CAMINO_API_KEY). Required tools (curl, jq) are appropriate for the provided shell script.
- Instruction Scope
- okSKILL.md and scripts/journey.sh limit actions to validating input, checking CAMINO_API_KEY, and sending the request to the Camino API. The README suggests adding the key to ~/.claude/settings.json (agent config) — reasonable for convenience and expected for an API-key-backed skill.
- Install Mechanism
- noteNo formal install spec is embedded in the package (instruction-only + included script). SKILL.md suggests using npx to install a GitHub-hosted 'camino-skills' collection or clawhub; GitHub and official npx usage are common, but fetching and running packages from third-party repos carries the usual supply-chain risk — this is optional and not required for the skill to work locally.
- Credentials
- okOnly one credential (CAMINO_API_KEY) is requested and used by the script. That is proportionate to the declared purpose. The skill does not request unrelated secrets or system credentials.
- Persistence & Privilege
- okalways:false and no attempt to modify other skills or system-wide settings. Writing the API key into the agent's settings.json is suggested for convenience but is normal for API-key-based skills and limited in scope.