Skillv1.0.0

ClawScan security

Outlit SDK · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 7:41 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and instructions match its stated goal (adding the Outlit SDK to web/server apps); it reads the repo to detect framework and suggests adding a public key and installing the appropriate package, but there are minor ambiguities to be aware of.
Guidance: This skill is an instruction-only integration helper that will scan your repository (package.json, Cargo.toml, lockfiles and common tracking/analytics files), suggest package-manager install commands, and ask you to add an Outlit key to your environment config. Before using it: (1) Do not paste private secret keys into chat — confirm whether the prompt asks for a public client key or a server secret. (2) Review any package-manager commands the agent suggests before running them. (3) Expect the agent to read many project files during detection; if your repo contains sensitive files, run the skill in a safe environment or limit its access. If you need clarification about which key to provide for server vs browser usage, verify with Outlit docs or your admin.

Review Dimensions

Purpose & Capability: okName/description (Outlit SDK integration) align with the instructions: detect framework/package manager, add the correct Outlit package, wire a public key, and verify events. No unrelated services, binaries, or secrets are demanded by default.
Instruction Scope: noteSKILL.md asks the agent to read project files (package.json, Cargo.toml, lockfiles, analytics/tracking files, etc.) and to run simple detection via glob/grep — this is appropriate for an integration helper. It also instructs installing packages (via detected package manager) and editing environment configuration. The instruction set does not ask to exfiltrate unrelated data, but it does assume access to the repository and to edit env/config files, so users should expect the agent to read many project files during detection.
Install Mechanism: okThis is instruction-only with no install spec and no external archive downloads. The agent will suggest running the project's package manager to install @outlit/browser or @outlit/node (normal for an integration).
Credentials: noteNo environment variables are required by the skill metadata. The guide asks the user for their Outlit 'public key' and instructs adding it to framework-specific env vars — which is proportionate. One ambiguity: it maps the same key name (OUTLIT_KEY) for 'server apps', which could be interpreted as a secret/server key; the doc calls it 'public key' earlier. Users should verify whether they are providing a public (client) key or a secret before pasting credentials.
Persistence & Privilege: okalways is false and the skill is user-invocable; the skill does not request persistent platform privileges or modify other skills. Autonomous invocation is allowed by default (disable-model-invocation is false) but is not combined with other concerning factors.