Skillv1.0.0

ClawScan security

Geepers Etymology · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 18, 2026, 7:33 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions ask for an API key and show external endpoints, but the registry metadata does not declare any required credentials and the skill has no provenance (no source/homepage), so there's an inconsistency you should verify before installing.
Guidance: This skill appears to do what it says (calling an etymology API), but there are two things to check before installing: (1) SKILL.md mentions DREAMER_API_KEY, yet the registry declares no required credentials — ask the publisher to add the required env var to the metadata so you know what credential you'll need. (2) The skill has no listed source or homepage; verify who operates https://api.dr.eamer.dev and review their privacy/terms. If you proceed, avoid reusing sensitive or high-privilege API keys (use a dedicated, scoped key), test in an isolated environment, and only provide keys that are strictly necessary for the service.

Purpose & Capability: okName, description, and the listed endpoints (etymology, explore, sound-changes) are coherent and all relate to etymological lookup and diachronic linguistics. The functionality requested by the SKILL.md matches the skill's stated purpose.
Instruction Scope: noteRuntime instructions are limited to calling the dr.eamer.dev API and include an example authentication environment variable (DREAMER_API_KEY). The instructions do not request reading arbitrary files or other system state and only reference the etymology API endpoints, which is appropriate for the stated purpose.
Install Mechanism: okNo install spec and no code files (instruction-only) — nothing is written to disk and no third-party packages are pulled in. This is low-risk from an install mechanism perspective.
Credentials: concernSKILL.md tells users to export DREAMER_API_KEY for authentication, but the skill's registry metadata declares no required environment variables or primary credential. That mismatch is suspicious: either the metadata is incomplete (legitimate but sloppy) or the skill expects a credential without declaring it. Also the skill has no homepage or source listed, so it's not clear who runs the dr.eamer.dev API or how keys are managed.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has default invocation settings. There is no indication it requests persistent privileged presence.