Back to skill
Skillv1.0.2
ClawScan security
Privacy Solution Scorecard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose — it delegates scoring to ToolWeb's API, requires only curl and an API key, and contains no unrelated requirements or install steps — but it will send user-supplied evaluation data to an external service, so review the API/provider before use.
- Guidance
- This skill calls https://portal.toolweb.in and sends organization and vendor evaluation data using the TOOLWEB_API_KEY. Before installing, verify ToolWeb's reputation, privacy policy, and billing terms; ensure you are comfortable sending any potentially sensitive or identifying data (avoid PII where possible). Protect the API key (store it securely and rotate if exposed) and consider testing with non-sensitive sample data first. If you need offline or locally auditable scoring, this skill is not suitable because it requires calling the external API for every assessment.
- Findings
[no-findings] expected: The regex scanner found nothing — expected because this is an instruction-only skill (no code files). The primary behavior is an external API call described in SKILL.md.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime requirements: the skill is an API-backed scorecard and declares the TOOLWEB_API_KEY and curl which are appropriate for calling portal.toolweb.in.
- Instruction Scope
- noteSKILL.md explicitly requires always calling the external ToolWeb API and forbids generating assessments locally. This is coherent for a proprietary scoring service but means any inputs (organization context, vendor notes, etc.) will be transmitted off-device—consider the sensitivity of data you provide.
- Install Mechanism
- okInstruction-only skill with no install spec or downloads. No code files to write or execute on the host; lowest install risk.
- Credentials
- okOnly one credential is required (TOOLWEB_API_KEY) and curl is the sole binary dependency — proportional to the stated purpose. The skill does not request unrelated secrets or filesystem paths.
- Persistence & Privilege
- okalways is false and the skill does not request elevated/persistent system privileges. Autonomous invocation is allowed by default but is not combined with other red flags.