Back to skill
Skillv1.4.2
ClawScan security
Windsensei · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 1:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with its stated purpose (checking wind/weather and managing spot-related features); it is an instruction-only skill that makes HTTPS calls to windsensei.com and optionally accepts a single API key for personalized features.
- Guidance
- This skill is coherent and minimal: it only talks to windsensei.com and optionally accepts a single API key for personalized data. Before installing, consider whether you want to store your WINDSENSEI_API_KEY in the agent environment (rotate keys if you revoke access later), verify you trust windsensei.com, and be mindful that calendar actions use your agent's calendar tooling (the skill does not request calendar credentials itself). Refuse to provide unrelated credentials or system access; if you have policy questions, only enable the API key when you need personalized features.
Review Dimensions
- Purpose & Capability
- okName/description match the documented behavior: all described functionality is served by calls to windsensei.com APIs. No unrelated credentials, binaries, or system access are requested.
- Instruction Scope
- okSKILL.md only describes making HTTPS requests to the WindSensei API and optional calendar interactions via the host agent's calendar tools. It does not instruct the agent to read local files, other environment variables, or transmit data to third parties outside windsensei.com.
- Install Mechanism
- okInstruction-only skill with no install spec or code files; nothing is written to disk or downloaded, minimizing installation risk.
- Credentials
- okOnly an optional WINDSENSEI_API_KEY is described (prefixed ss_). The skill explicitly states it works without the key and requires no other secrets; this is proportionate to the personalization features described.
- Persistence & Privilege
- okThe skill is not force-included (always: false) and does not request persistent system privileges or modifications to other skills/config. Default autonomous invocation is enabled (platform normal) but does not on its own increase concern here.