Back to skill
Skillv0.2.0
ClawScan security
Route between two locations · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 4:08 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it simply validates input and calls the Camino routing API using a single CAMINO_API_KEY; nothing in the files or instructions requests unrelated credentials or system access.
- Guidance
- This skill appears to do only routing queries and needs just a CAMINO_API_KEY. Before installing: (1) verify the API host (https://api.getcamino.ai) and the GitHub repo if you plan to use npx to install the whole collection, (2) ensure you have curl and jq installed (SKILL.md and scripts require them), (3) avoid pasting your API key into public places and consider setting it in your agent's config with correct file permissions, and (4) review any remote-install commands (npx/clawhub) to see what code will be executed. The included script is small and straightforward, but installing the full repo could introduce other code — review that repository first.
Review Dimensions
- Purpose & Capability
- okName and description match the code and instructions: the script builds a query from start/end coordinates and calls https://api.getcamino.ai/route. The only required credential is CAMINO_API_KEY, which is appropriate for this purpose. Note: the registry metadata listed no required binaries, but SKILL.md and the script require curl and jq — this is a minor metadata inconsistency.
- Instruction Scope
- okSKILL.md and scripts stay within scope: they validate JSON, require start/end coords, read CAMINO_API_KEY, and make an HTTPS GET to the Camino API. No instructions to read other files, harvest unrelated env vars, or POST data to third-party endpoints are present. The doc does advise adding the API key to ~/.claude/settings.json and offers a trial endpoint (https://api.getcamino.ai/trial/start), both of which are reasonable for this integration.
- Install Mechanism
- noteThere is no formal install spec (instruction-only), and the included scripts are simple and static. However, the README suggests installing an entire GitHub repo via npx (npx skills add https://github.com/barneyjm/camino-skills), which will pull remote code — review that repository before running the installer. The provided local script does not download or execute remote code itself.
- Credentials
- okThe skill only requests one credential (CAMINO_API_KEY) and uses it directly in API calls. No extra tokens, keys, or unrelated environment variables are requested. This is proportionate to a routing API integration. (Again: SKILL.md expects curl/jq even though registry metadata omitted them.)
- Persistence & Privilege
- okThe skill does not request always:true or attempt to modify other skills or system settings. It runs on demand and only requires the user-provided API key to operate.