Back to skill
Skillv1.0.4
ClawScan security
Arithym · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 1:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Arithym's requests and instructions are coherent with its stated purpose: it asks only for an API key and tells the agent to call arithym.xyz for exact math; there is no unrelated access requested, but installing it will cause your agent to send math queries (and the API key) to that third-party service.
- Guidance
- This skill appears internally consistent with its purpose, but before installing: (1) confirm you trust arithym.xyz and its privacy/security practices because your queries and the ARITHYM_API_KEY will be sent there; (2) store the API key with least privilege (rotate or use an expendable/test key first); (3) be aware an autonomous agent may call the service automatically when it decides "math matters" — restrict or review agent policies if you need tighter control; (4) because this is instruction-only (no code to review), consider testing with non-sensitive inputs to verify behavior and check the service's terms/privacy before using it with confidential data.
Review Dimensions
- Purpose & Capability
- okThe name/description (exact arithmetic) matches the runtime instructions: the skill directs the agent to an external MCP endpoint for exact math and lists math-related tools. There are no unrelated environment variables or binaries requested.
- Instruction Scope
- okSKILL.md is narrowly focused on using the Arithym MCP server for math tasks and gives usage/best-practice guidance. It does instruct adding an mcpServers entry (including an Authorization header) so the agent will call an external service; it does not ask to read unrelated files, secrets, or system state.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself — lowest install risk.
- Credentials
- okOnly a single API key (ARITHYM_API_KEY) is required, which is proportional to the declared integration. Note: that key will be added to requests to arithym.xyz and should be treated as a secret.
- Persistence & Privilege
- noteThe skill asks the agent operator to add an MCP server entry to the agent configuration so the agent can call arithym.xyz. This is normal for MCP-based skills and the skill does not request always:true or other elevated privileges, but it does enable outgoing calls that will include your API key.