Back to skill
Skillv0.2.0
ClawScan security
Real Estate Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 4:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential (CAMINO_API_KEY) match its stated purpose of querying Camino AI location APIs and nothing in the package appears disproportionate or covert.
- Guidance
- This skill appears coherent and limited to calling Camino's public APIs. Before installing: 1) Confirm the GitHub repo (https://github.com/barneyjm/camino-skills) is trustworthy and review any code there; 2) Prefer using a trial or limited-scope API key first and monitor usage; 3) Be cautious when storing the API key in ~/.claude/settings.json—ensure that file is protected and you understand where your agent stores secrets; 4) If you need stricter isolation, run the provided shell script locally and inspect it (it only calls api.getcamino.ai) rather than installing unreviewed packages. If you expect the skill to do anything beyond geocoding and context queries, do not install it until reviewed further.
Review Dimensions
- Purpose & Capability
- okName/description, required environment variable (CAMINO_API_KEY), and referenced endpoints (api.getcamino.ai) align with a location-intelligence/real-estate evaluator. Declared binaries (curl, jq) are appropriate for the included shell script.
- Instruction Scope
- okSKILL.md and scripts instruct only: accept JSON input, optionally geocode an address, call Camino's /query and /context endpoints, and output JSON. They do not instruct reading unrelated local files or contacting unexpected endpoints. The README suggests storing the API key in ~/.claude/settings.json (user action) which is expected for convenience but is a local secret storage choice to be considered by the user.
- Install Mechanism
- noteThe registry has no automated install spec (instruction-only skill with an included script). SKILL.md suggests using npx to fetch a third-party GitHub repo or clawhub; fetching code from an external repo is common but users should verify the repo's authenticity before running install commands.
- Credentials
- okOnly one credential (CAMINO_API_KEY) is required and it's the expected API key for the Camino API used by the script. No other secrets or unrelated environment variables are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It runs as an on-demand script and only uses the declared API key and network calls to Camino's API.