Back to skill
Skillv0.1.0
ClawScan security
Parking Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 9:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and behavior are consistent with a location/parking lookup service that calls the Camino API and only needs a Camino API key.
- Guidance
- This skill appears to do what it says: it sends parking/location queries to api.getcamino.ai and needs a CAMINO_API_KEY. Before installing or running: ensure you trust getcamino.ai and the GitHub repo referenced in the README if you plan to run the npx install; review any downloaded code. The included script requires curl and jq and will send location queries (lat/lon/query) to the Camino API using your API key, so avoid using a high-privilege or unrelated secret. If you obtain a trial key for testing, prefer a low-privilege/test key and rotate or revoke it if exposed.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the script and SKILL.md call https://api.getcamino.ai to search for parking. Requesting CAMINO_API_KEY is appropriate and expected.
- Instruction Scope
- okRuntime instructions and the included shell script only build a query from user JSON and call Camino's API. They reference putting the API key into ~/.claude/settings.json and show curl examples; they do not attempt to read unrelated files, other credentials, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- noteThe skill has no automated install spec in the manifest (instruction-only) and includes a small shell script. The SKILL.md suggests installing companion skills via npx from a GitHub repo (https://github.com/barneyjm/camino-skills); that will download code from an external source and should be reviewed before running, but it is not required for basic function.
- Credentials
- okOnly a single credential (CAMINO_API_KEY) is required, which is proportional to a cloud API-backed parking lookup. The script uses only that env var and standard tools (curl, jq).
- Persistence & Privilege
- okalways is false and the skill does not request system-wide config changes or other skills' credentials. It only instructs storing the API key in the user's Claude settings (a user-facing config file).