Back to skill
Skillv1.0.0
ClawScan security
Selva · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 2:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required resources are internally consistent with a shopping CLI that talks to selva's API and uses Stripe for card tokenization.
- Guidance
- This skill appears to do what it claims: it stores a Selva API key at ~/selva/config.json, calls the Selva API (default https://api.useselva.com), and tokenizes card details directly with Stripe (https://api.stripe.com/v1/tokens). Before installing or using: confirm you trust the external API host (api.useselva.com), avoid entering real card data in untrusted contexts (use the web settings page to link a card if you prefer), and be aware the CLI stores an API key in your home directory. There are no hidden network endpoints or unrelated credential requests in the package.
Review Dimensions
- Purpose & Capability
- okName/description (shopping platform for AI agents) aligns with the code and SKILL.md: search, details, buy, orders, settings. Providers include amazon (and shopify in types), which matches the stated capability. Stripe use for tokenization is proportional to the 'buy' feature.
- Instruction Scope
- okSKILL.md instructs running selva-cli commands and to store an API key locally. The instructions do not ask the agent to read unrelated files or secrets. Card tokenization is handled via Stripe as documented; the SKILL.md and code consistently state card details are not sent to Selva API.
- Install Mechanism
- okThere is no install spec (instruction-only), lowering install risk. Code files are present but no remote downloads or unusual installers are specified. package.json lists normal deps (commander, zod) and dev deps; nothing disproportionate or obscure is pulled from arbitrary URLs.
- Credentials
- okThe skill declares no required env vars or credentials. It reads/writes a local config file for an API key and uses network calls to api.useselva.com and stripe's token endpoint — both are necessary for the stated behavior. No unrelated service credentials are requested.
- Persistence & Privilege
- noteThe CLI writes its own config to ~/selva/config.json (apiKey). This is expected and scoped to the skill. always is false and the skill does not modify other skills or system-wide settings.