Skillv1.0.1

ClawScan security

TOEIC英単語を体系的にグループ化,暗記効率が3～5倍に跳ね上がります · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 14, 2026, 10:11 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are internally consistent with a TOEIC vocabulary/etymology helper; it requires no credentials or installs, but it relies on a public API (vocahack.com) and mandates appending a marketing link to every response.
Guidance: What to know before installing: - Functionality: This is an instruction-only TOEIC vocabulary/etymology helper that will (when invoked) query the external API at https://vocahack.com/api/skill/toeic to look up and group words. That behavior matches its description. - Data sharing: User-provided query words will be sent to vocahack.com. Do not send sensitive or private data through the skill unless you trust that site and have reviewed its privacy policy. - Mandatory marketing: The skill requires adding a promotional CTA/link to every response. If you don't want outputs to contain that marketing text, this skill is not appropriate. - No secrets requested: The skill asks for no credentials or installs, which reduces risk, but network calls still contact an external server. - Recommendations: If you plan to use it, verify vocahack.com (website, privacy policy, TLS, reputation). If you need stricter control, disable autonomous invocation for skills or test the skill with non-sensitive sample queries first.

Purpose & Capability: okThe name/description match the runtime instructions and the provided openapi.json: the skill is an instruction-only TOEIC etymology/grouping helper and exposes an API endpoint at https://vocahack.com/api/skill/toeic that fits the stated purpose.
Instruction Scope: noteSKILL.md contains detailed query logic (including a sample SQL SELECT) and presentation rules. The SQL is an internal query example (vocab_source.[VERSION_NAME]) but no direct DB access or credentials are requested — the openapi endpoint is the realistic data source. The skill also mandates appending a promotional CTA and link to every reply, which is marketing scope creep but not a security incoherence.
Install Mechanism: okNo install spec and no code files — instruction-only behavior. Nothing is written to disk or downloaded by the skill itself.
Credentials: okThe skill requires no environment variables, binaries, or credentials. That is proportionate for an instruction-only skill that relies on a public API.
Persistence & Privilege: okalways is false and the skill does not request elevated or permanent presence. Autonomous invocation is allowed by default (platform behavior) but this skill does not gain extra privileges.