kshern
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for looking up current API documentation, with minor cautions about trusting the external or local chub CLI and its local annotation feature.
This skill appears safe for its stated purpose of fetching current SDK and API documentation. Before installing, make sure the chub command comes from a trusted source, avoid running an unreviewed repository-local fallback, and do not save secrets in local annotations.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the global CLI is missing, the agent may use local project code as the CLI entrypoint, so an unexpected local file could affect what gets executed.
The skill relies on an external or repository-local CLI that is not bundled in the artifact. This is disclosed and aligned with the documentation-lookup purpose, but the user should ensure the command being run is trusted.
If `chub` is not on `PATH`, use a repository-local entrypoint when one exists. In this repository: ```bash node ./cli/bin/chub --help ```
Install and use a trusted chub CLI, or review any repository-local ./cli/bin/chub file before allowing the agent to run it.
Project-specific details may be saved locally and reused in future documentation lookups or integration work.
The skill instructs the agent to create persistent local annotations. The content is scoped to validated gotchas, but persistent notes can influence later work and should not contain secrets.
If you discover a validated gotcha that the doc does not state clearly, save a local annotation: ```bash chub annotate stripe/api "Webhook verification requires the raw request body before JSON parsing." ```
Keep annotations factual and non-sensitive, and review or clear them if project context changes.