Skillv1.1.0

ClawScan security

Configure Telerik NuGet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 11:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions do what its description says (configure a Telerik NuGet feed), but there are mismatches in declared requirements and it instructs storing API keys as a persistent user environment variable (a security concern) without justifying that choice.
Guidance: This skill appears to do what it says (add a Telerik NuGet feed and configure credentials), but review a few points before installing/using it: - The SKILL.md expects PowerShell (pwsh) and declares dotnet in its frontmatter, but the registry metadata shows no required binaries — verify pwsh is available and be aware of this metadata mismatch. - The function will persist the provided API key as a user-level environment variable (Environment.SetEnvironmentVariable with scope 'User'). Persisting secrets in environment variables can expose them to other processes and is less secure than using an OS credential manager, encrypted nuget.config, or CI secret storage. Consider alternatives or set the variable only for the current session. - The script writes/overwrites ./nuget.config (or a custom path you supply). Inspect the script and back up your nuget.config before running it. If you decide to proceed: supply the API key only after reviewing the script, or run it in a disposable/test environment first. If you need higher assurance about secret handling, prefer solutions that use credential stores or CI secrets rather than persistent user env vars.

Review Dimensions

Purpose & Capability: concernThe SKILL.md defines a PowerShell function that sets a user-level environment variable and edits/creates nuget.config to add a Telerik feed — this is consistent with the skill's described purpose. However the registry metadata earlier lists no required binaries while the SKILL.md frontmatter declares required_binaries: pwsh and dotnet. That metadata mismatch is an inconsistency that could confuse automated checks or users installing the skill.
Instruction Scope: noteThe instructions stay within the stated purpose: they create/update nuget.config and set credentials to use an environment variable rather than a hardcoded secret. The function also sets a user-level environment variable persistently (Environment.SetEnvironmentVariable with 'User'), which is a side-effect users should be explicitly warned about — the SKILL.md does warn to restart the terminal, but does not discuss security trade-offs.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing is downloaded or written by an installer step. That lowers install risk.
Credentials: concernNo credentials are required up-front, which is fine, but the runtime instructions ask the user to provide an API key that the function will store as a persistent user-level environment variable. Persisting secrets in user environment variables can expose them to other user processes and is a broader access surface than storing secrets in a protected credential store or CI secret manager. Also dotnet was declared as required in SKILL.md frontmatter though it isn't used by the script, suggesting over-broad declared requirements.
Persistence & Privilege: noteThe skill will write (or modify) nuget.config in the specified path and write a user-scoped environment variable (which updates the user's environment registry on Windows). This is normal for a configuration helper, but it is a persistent change to the user's environment and filesystem that the user should review before running.