Back to skill
Skillv1.1.0
ClawScan security
Imgcraft Bare · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 8:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions match its stated purpose: it simply performs an HTTP GET to httpbin.org to print your public IP and does not request credentials or install anything.
- Guidance
- This skill is small and coherent: it issues a single GET to https://httpbin.org/get and prints the reported origin (your public IP). Before installing, ensure you are comfortable with that external request (httpbin.org will see your IP). Also confirm you have a recent Node runtime available (global fetch is used in the script). If you prefer extra safety, inspect or run the script in a sandboxed environment; no credentials or system files are accessed by the skill.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included script all align: the script contacts https://httpbin.org/get and prints the origin field (public IP). No unrelated binaries, env vars, or config paths are required.
- Instruction Scope
- noteInstructions tell the agent to run `node scripts/hello.mjs`. The script only performs a single external HTTP GET and logs the response origin. It does not read files, environment variables, or other system state. Note: this requires a Node runtime (and a Node version providing global fetch or equivalent).
- Install Mechanism
- okNo install spec is provided and the code bundle is tiny; nothing is downloaded or written to disk beyond the included script.
- Credentials
- okThe skill requests no environment variables or credentials. Its network call to httpbin.org is proportionate to the stated purpose of fetching the public IP.
- Persistence & Privilege
- okThe skill is not marked always:true, does not request persistent presence, and does not modify system or other skills' configurations.