Back to skill
Skillv1.0.0
ClawScan security
ai-grammar-checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 26, 2026, 5:02 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions ask you to run a python script and to set a GRAMMAR_API_KEY, but the packaged skill contains no code, no declared environment requirements, and no source/homepage — these inconsistencies warrant caution.
- Guidance
- This skill's instructions reference a local Python script (scripts/ai_grammar_checker.py) and an API key (GRAMMAR_API_KEY) but the skill package contains no code, no source link, and the registry metadata lists no required env vars — these mismatches could be harmless (author forgot to include files) or intentional. Before installing or running: ask the author to provide the script source or a trustworthy homepage, confirm which external service the API key targets and what permissions it needs, and never paste real credentials until you verify the implementation. If you must test, use a dummy API key and run in a sandbox. If the author cannot provide source or explanation, avoid installing or granting real secrets.
- Findings
[NO_SCAN_FINDINGS] expected: The skill is instruction-only with no code files, so the regex-based scanner had nothing to analyze. Absence of findings is not evidence of safety.
Review Dimensions
- Purpose & Capability
- concernThe name/description (grammar checking) is plausible, but the SKILL.md requires a GRAMMAR_API_KEY and running a local script (python3 scripts/ai_grammar_checker.py). The registry metadata declares no required env vars or code files. Requesting an API key could be legitimate for a grammar service, but the declared metadata does not match the instructions, which is incoherent.
- Instruction Scope
- concernRuntime instructions tell the agent to run a local script at scripts/ai_grammar_checker.py and to set GRAMMAR_API_KEY. However, there are no code files in the package and no explanation of what the script does, where it comes from, or which external endpoint the API key is for. The instructions do not reference other files, but they assume local artifacts and a secret that are not present or declared.
- Install Mechanism
- okThere is no install spec (instruction-only skill), so nothing will be written to disk by an installer. This is low-risk from an install mechanism perspective.
- Credentials
- concernThe SKILL.md asks the user to set GRAMMAR_API_KEY, but the skill metadata lists no required environment variables and no primary credential. That mismatch is a red flag: the skill expects a secret but does not declare it, and there is no information about which service the key is for or what permissions it needs.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence. Autonomous invocation is allowed by default but is not in itself a problem and is not combined with other high privileges here.