Back to skill
Skillv1.0.0
ClawScan security
PickFu Market Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 2:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a PickFu integration: it needs a PickFu API key, optionally uses the PickFu CLI (npm package), and its runtime steps (create/upload/publish surveys) match the described purpose.
- Guidance
- This skill appears to do what it says, but review these practical points before installing: - It requires a PickFu API key (PICKFU_API_KEY). Only provide a key you control and understand; use least-privilege or a dedicated key if possible and be prepared to revoke it if needed. - The skill invokes the PickFu CLI via npx which downloads and runs code from npm at runtime. If you need stronger assurance, inspect the @pickfu/cli package source (npm/GitHub) before use. - Uploading media uses your local files or URLs — any file you choose to upload will be transmitted to PickFu's servers. Do not upload secrets or sensitive files you don't want shared. - Publishing surveys will incur charges on your PickFu account; the skill states it will ask for confirmation before charging but verify billing settings and limits. - The SKILL.md references an MCP server option; confirm that any MCP endpoint your environment uses is legitimate and under your control. If you want higher confidence, review the source for @pickfu/cli and test with a low-privilege or limited-balance account first.
Review Dimensions
- Purpose & Capability
- okThe name/description match the declared requirements: a single PICKFU_API_KEY credential and an optional @pickfu/cli npm client are appropriate for a service that creates/publishes surveys, uploads media, and analyzes responses.
- Instruction Scope
- noteSKILL.md stays within the PickFu domain: it instructs the agent to use MCP or the PickFu CLI (via npx) to generate/upload media, design surveys, publish, and fetch reports. It explicitly mentions uploading local files, which is expected for media but means any file you choose to upload will be transmitted to PickFu's service — the agent will show designs for confirmation before charging.
- Install Mechanism
- noteInstallation is via an npm package (@pickfu/cli) and the skill uses npx --yes to invoke the latest CLI at runtime. This is traceable and typical, but npx will download and execute remote code at runtime (moderate operational risk compared with instruction-only skills).
- Credentials
- okOnly one required environment variable (PICKFU_API_KEY) is declared and used; that is proportionate for interacting with PickFu's API. OAuth/headless is provided as an alternative for interactive auth.
- Persistence & Privilege
- okThe skill is user-invocable, not always-on, and does not request elevated platform-wide privileges or modify other skills. disable-model-invocation is false (normal) but there is no forced always:true presence.