Skillv1.0.0

ClawScan security

Aerobase Activities · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 8, 2026, 2:00 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its advertised purpose, but the runtime instructions reference an undeclared external scraping proxy (SCRAPLING_URL) and other external browsing/affiliate flows without declaring corresponding credentials or a trustworthy source, which is inconsistent and worth clarifying before installing.
Guidance: This skill largely does what its name says and is low-risk from an install perspective (no code or installers). Before installing, verify the following: (1) Who runs the Aerobase API (no homepage/source is provided) and whether you trust that provider to hold your AEROBASE_API_KEY. (2) The SKILL.md uses a Scrapling proxy placeholder ({SCRAPLING_URL}) but does not declare that environment variable — ask the author how Scrapling is provided and whether credentials or a proxy URL are required. (3) The skill will perform occasional web browsing/scraping (TripAdvisor, Google) for edge cases — confirm you are comfortable with the agent sending queries to those services and potentially transmitting user-supplied trip data to an external scraping proxy. (4) Confirm rate limits and that the skill will not pre-fetch data (the doc says to avoid pre-fetching, which is good). If the author can provide a documented source/homepage for Aerobase, add SCRAPLING_URL (or remove the Scrapling requirement) to the declared env vars, and clarify what data is sent to external services, my confidence would increase and the incoherence would be resolved.

Review Dimensions

Purpose & Capability: okName/description (discover tours/activities near airports) align with the listed API endpoints and the Aerobase Tours API as the primary data source. Requested primary credential AEROBASE_API_KEY is plausible and proportional for an API-backed discovery skill.
Instruction Scope: concernSKILL.md instructs the agent to call Aerobase endpoints and to use a browser/scraping fallback (Scrapling) for niche cases. It includes a concrete web_fetch snippet using a {SCRAPLING_URL} placeholder, but SCRAPLING_URL is not declared in requires.env. The instructions authorize web scraping TripAdvisor and performing Google searches for price comparisons — these are reasonable for discovery but expand the runtime network surface and require a configured proxy/credential that is not documented.
Install Mechanism: okInstruction-only skill with no install spec or code files. That minimizes filesystem/write risk; nothing will be installed by default.
Credentials: concernOnly AEROBASE_API_KEY is declared (which is appropriate). However, the SKILL.md references SCRAPLING_URL (and implies use of browser/search and possibly third-party services like Scrapling or Google) without declaring required environment variables or credentials for those services. Missing declarations are an incoherence: the runtime needs at least a scrapling proxy URL/credential to perform the provided web_fetch example.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges. Model invocation is allowed (default) but that is normal; nothing in the skill requests elevated or permanent presence.