Back to skill
Skillv2.0.0
ClawScan security
Clawd Throttle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:03 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely matches its stated routing purpose, but there are inconsistencies in the declared required environment variables and a couple of operational/security concerns (HTTP proxy binding and local key storage) that merit caution before installing.
Review Dimensions
- Purpose & Capability
- noteThe code, README, and data files implement an LLM-routing/proxy skill as described (classifier, routing table, providers, logging). Required binary 'node' is appropriate. However the registry metadata / SKILL.md lists ANTHROPIC_API_KEY and GOOGLE_AI_API_KEY as required env vars while the runtime code only needs at least one provider configured (it will exit only if no provider is configured). This mismatch between declared required envs and actual code is inconsistent and could mislead users about what must be provided.
- Instruction Scope
- noteSKILL.md and setup scripts instruct the agent/user to run npm setup, enter API keys, and write config to ~/.config/clawd-throttle/. Instructions and code limit data stored to SHA-256 prompt hashes and local JSONL logs, which is consistent with the privacy statement. A pre-scan pattern flagged 'system-prompt-override' (the SKILL.md refers to system prompts), which is expected for a classifier that considers system prompts but should be treated with care: verify that prompts aren’t being sent to external endpoints beyond the configured providers. Overall instructions stay inside the advertised scope (classify, route, proxy, log), but the system-prompt text and the prompt-hashing claim should be validated by inspecting the hashing implementation before trusting privacy guarantees.
- Install Mechanism
- okInstall is standard Node/npm (npm install, no unusual downloads). package.json dependencies are normal and install scripts are local (scripts/setup.sh / .ps1). No extract-from-arbitrary-URL or IP-hosted installers were found in the provided files.
- Credentials
- concernThe skill legitimately needs provider API keys to proxy requests. But the registry metadata declares both ANTHROPIC_API_KEY and GOOGLE_AI_API_KEY as required while the code treats many keys as optional and requires only at least one configured provider. The setup scripts write API keys and other settings to a local config file (and read env vars at runtime) — storing keys to disk is functional but increases risk if the config file permissions or location are not secured. No unrelated secrets appear to be requested, but the metadata inconsistency is misleading.
- Persistence & Privilege
- concernThe skill persists configuration and logs under ~/.config/clawd-throttle/ (config.json, routing.jsonl) — expected for this kind of tool. It also can start an HTTP proxy. Notably, the server is started with httpServer.listen(config.http.port) (no explicit host), which in Node defaults to listening on all interfaces; that can unintentionally expose the proxy (and the configured provider API keys / quota) to external network users if the host is reachable. always:false and normal autonomous invocation are fine, but you should ensure the HTTP proxy binds to localhost and protect the config/log files' filesystem permissions.
- scan_findings_in_context
- note