Back to skill
Skillv1.0.3
ClawScan security
KlickAnalytics CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 12:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (teaching/using the KlickAnalytics CLI) matches its requirements and instructions: it only asks for a single API key and contains purely instructional content with no install scripts or unrelated access.
- Guidance
- This skill appears coherent, but treat the API key like any third-party credential. Before installing or using the CLI: (1) verify the pip package (klickanalytics-cli) on PyPI or the vendor site to ensure it’s the official package, (2) obtain your API key only from the official KlickAnalytics site, (3) limit where you store the key (avoid committing to dotfiles in shared repos), consider using a scoped/limited key if offered, (4) monitor usage/billing tied to the key and rotate if compromised, and (5) if you need to be extra cautious, inspect the package source code before installing or run it in an isolated environment.
Review Dimensions
- Purpose & Capability
- okThe name/description describe a CLI for financial analytics and the skill only requires KLICKANALYTICS_CLI_API_KEY, which is exactly the kind of credential a remote CLI client would need. No unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- okSKILL.md is instruction-only and stays on-topic: it shows how to install the CLI (pip), set the API key, and run specific ka commands. It does not instruct reading unrelated files, accessing other environment variables, or sending data to unexpected endpoints beyond the KlickAnalytics service referenced in the docs.
- Install Mechanism
- okThere is no install spec embedded in the skill bundle (instruction-only). The doc recommends pip install of a named package, which is a reasonable, expected install route for a CLI. The skill itself does not download or extract code from arbitrary URLs.
- Credentials
- okOnly a single API key (KLICKANALYTICS_CLI_API_KEY) is required and declared as primaryEnv. That is proportionate for a service-backed CLI. No unrelated secrets or broad system credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true and is user-invocable; it does not attempt to modify other skills or request elevated platform privileges. Autonomous invocation is allowed by default but is not combined with other concerning factors here.