Skillv1.3.0

ClawScan security

HiQ Cortex · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 5:21 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and required environment variables are coherent with its stated purpose (searching LCA datasets and running an LCA assistant) and request no unrelated credentials or system access.
Guidance: This skill appears to do what it says: it uses node and a single HIQ_API_KEY to call HiQ's API at x.hiqlcd.com. Before installing, confirm you trust hiqlcd.com and are comfortable that any query text (including BOMs or example data) will be transmitted to that service. Prefer setting HIQ_API_KEY as an environment variable rather than saving it in ~/.openclaw/openclaw.json if you want to avoid plaintext storage. If you run npm ci, inspect package.json first (current package.json has no dependencies, but future revisions could). Avoid including secrets or personal data in queries sent to the remote API. The registry version (1.3.0) differs from package.json version (1.1.2) — this is likely benign but you may want to verify the package source matches the published version.

Review Dimensions

Purpose & Capability: okName/description request node and a single HIQ_API_KEY and the code calls only x.hiqlcd.com endpoints. The requested binary (node) and primary credential (HIQ_API_KEY) are appropriate and expected for a remote-API-based LCA search and assistant.
Instruction Scope: noteSKILL.md and the scripts limit behavior to sending queries and BOMs to x.hiqlcd.com and reading HIQ_API_KEY. A minor scope note: the SKILL.md suggests adding the API key to ~/.openclaw/openclaw.json (plaintext storage) or exporting it as an environment variable; both are within expected scope but users should be aware the key will be stored/sent to the remote service and that any sensitive content included in queries will be transmitted.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but SKILL.md suggests running npm ci in the skill directory. package.json contains no dependencies; npm ci is low-risk here. Because installation is manual (not automatic), there's no unexpected remote install behavior. If you run npm ci in future versions, review package.json first.
Credentials: okOnly a single API credential (HIQ_API_KEY) is required and declared as the primary credential. No other env vars, system config paths, or unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and is user-invocable only. It does not request elevated or persistent system privileges.