Back to skill
Skillv1.0.2
ClawScan security
Numerology Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:10 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it requires a ToolWeb API key and curl to call the external numerology API and its instructions match that purpose, but it will send personal data (name and birthdate) to a third-party service so review privacy and billing before enabling.
- Guidance
- This skill is coherent but sends personal data (full name and birth date) to https://portal.toolweb.in for every request and tracks calls for billing. Before installing: verify you trust ToolWeb (review their privacy policy, data retention, and terms), use a limited-scope or revocable API key if possible, warn end users that their PII will be sent to a third party and obtain consent, monitor API usage/billing, and consider whether you need an offline/local alternative if you prefer not to transmit sensitive personal data. Also ensure curl is available and that network egress to portal.toolweb.in is acceptable in your environment.
Review Dimensions
- Purpose & Capability
- okName, description, required binary (curl), and required env var (TOOLWEB_API_KEY) align with an instruction-only skill that delegates numerology calculations to portal.toolweb.in.
- Instruction Scope
- noteInstructions consistently direct the agent to always call the ToolWeb API and not to generate local results. This is coherent with the stated design but means the skill will transmit PII (full name and birth date) and include session metadata to an external service; the SKILL.md requires no unrelated file or env access.
- Install Mechanism
- okNo install spec or code files are included (instruction-only), so nothing is written to disk by the skill itself — low install risk.
- Credentials
- okOnly TOOLWEB_API_KEY is required (declared as primaryEnv) and curl must exist; these are proportionate for a wrapper that calls an external API. No unrelated credentials or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges or modify other skills' config. Autonomous invocation is allowed by default but not excessive here.