Back to skill
Skillv1.0.0
ClawScan security
Bunpro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 2:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential line up with its stated purpose of syncing Bunpro progress; nothing suggests it does unrelated or hidden actions.
- Guidance
- This skill appears to do exactly what it claims: pull your Bunpro frontend data and store it locally. Before installing/running: 1) Understand the token is a sensitive browser JWT — do not share it; prefer exporting BUNPRO_FRONTEND_API_TOKEN as an environment variable rather than passing it on the command line. 2) Inspect the included scripts yourself (they are plain Python) and ensure they only call https://api.bunpro.jp; the package uses the 'requests' library (install it into a virtualenv). 3) Treat the generated bunpro.db as sensitive personal data and store it securely (encrypt or keep in an isolated directory). 4) Because the skill uses community-documented endpoints and a frontend token that can expire, expect to refresh the token periodically. 5) If you have policy or TOS concerns, verify that using the frontend token and community API is acceptable to Bunpro and revoke your session token via logout if needed. Overall this is coherent and proportionate, but follow the usual precautions when handling authentication tokens and local backups.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, and included Python scripts all implement fetching Bunpro frontend endpoints and storing results in a local SQLite DB. Requested binary (python3) and single env var (frontend JWT) are appropriate for the stated task.
- Instruction Scope
- noteSKILL.md explicitly instructs the user how to extract the browser Frontend API Token via DevTools (console/local storage/network) and how to run the scripts. That instruction is sensitive but coherent with the need for a browser JWT; the skill does not instruct reading unrelated system files or posting data to external endpoints beyond api.bunpro.jp. Note: it allows passing the token directly on the CLI (less secure).
- Install Mechanism
- okThis is instruction-only (no installer downloads). It requires python3 and the scripts use the 'requests' library; no remote URLs or archive extraction are used. Minor note: the SKILL.md does not explicitly list Python package dependencies (requests), so the user may need to install them manually.
- Credentials
- okOnly BUNPRO_FRONTEND_API_TOKEN is required and is the correct credential for the frontend API the skill uses. The token is appropriately marked as primaryEnv. The skill recommends both env var and CLI token options — the latter is less secure but functionally consistent.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide configuration changes or other skills' credentials. It only writes a local SQLite database in the specified data directory.