Back to skill
Skillv3.0.0
ClawScan security
Deep Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 10:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements (AnyGen CLI + ANYGEN_API_KEY) and instructions match its stated purpose of generating deep research reports; nothing requested or instructed is disproportionate or unrelated.
- Guidance
- This skill appears coherent: it needs the AnyGen CLI and one API key to operate. Before installing, verify you trust AnyGen/@anygen/cli on npm (review the package and the publisher), ensure the ANYGEN_API_KEY you provide has minimal necessary scope, and avoid sending sensitive secrets or customer data to the service. Be aware the CLI may open a browser for auth and that generated research will be processed by AnyGen's servers (www.anygen.io). If you want extra caution, inspect the installed @anygen/cli code or run it in a constrained environment before supplying production credentials.
Review Dimensions
- Purpose & Capability
- okName/description (deep research) align with required binary (anygen) and the single API credential ANYGEN_API_KEY. Requesting the AnyGen CLI and API key is expected for a server-side report-generation integration.
- Instruction Scope
- okSKILL.md only instructs use of the AnyGen CLI, API-key or browser auth flows, and optionally installing a related AnyGen workflow skill. It does not direct reading of unrelated files, system paths, or other environment variables, nor does it instruct exfiltration to unexpected endpoints beyond anygen.io.
- Install Mechanism
- noteThe install uses an npm package (@anygen/cli) to provide the anygen binary. This is an expected distribution method for a CLI but carries the usual npm risks (package content from registry). No direct download URLs or obscure hosts are used.
- Credentials
- okOnly ANYGEN_API_KEY is required and is declared as the primary credential. The single credential is proportionate to the skill's purpose. Ensure the key's scope and permissions are appropriate before supplying it.
- Persistence & Privilege
- okSkill does not request always:true, does not require system config paths, and does not modify other skills. Model invocation/autonomy is enabled (platform default) but not excessive here.