Back to skill
Skillv3.3.1
ClawScan security
Aerobase Travel Lounges · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 4, 2026, 3:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only adapter for the Aerobase API that only requests a single API key and its runtime instructions and limits align with the stated purpose.
- Guidance
- This skill appears coherent and limited to calling Aerobase APIs. Before installing: (1) confirm https://aerobase.app is the legitimate service and review its privacy/terms, (2) only provide the AEROBASE_API_KEY (do not paste other credentials), (3) store the key with least privilege and rotate it if possible, (4) note free-tier limits (5 requests/day) and upgrade options, and (5) be aware that allowing autonomous invocation means the agent may call the Aerobase API when it deems appropriate — if you want to restrict that, only enable the skill when needed. If you need higher assurance, review Aerobase API docs and verify the endpoints and behavior independently.
Review Dimensions
- Purpose & Capability
- okName/description (airport lounge lookups and recovery-aware recommendations) match the declared primary credential (AEROBASE_API_KEY) and the documented endpoints; nothing requested appears unrelated to lounge lookup functionality.
- Instruction Scope
- okSKILL.md limits actions to calls to Aerobase endpoints, includes parameter validation and HTTP error handling, explicitly forbids asking for user passwords/OTPs/cookies, and does not instruct reading unrelated files or environment variables.
- Install Mechanism
- okNo install spec and no code files are included (instruction-only), so nothing will be downloaded or written to disk by an installer step.
- Credentials
- okOnly a single service API key (AEROBASE_API_KEY) is declared as required; no additional secrets, unrelated credentials, or config paths are requested.
- Persistence & Privilege
- okSkill is not always-on and does not request elevated platform privileges or modifications to other skills; autonomous invocation is enabled but that's the platform default.