Back to skill
Skillv0.2.0
ClawScan security
VoteShip · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 8:30 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements, instructions, and install step are coherent with a VoteShip integration, but it requests a high‑privilege API key and installs an npm CLI package (moderate risk); verify the package and trust before granting credentials.
- Guidance
- This skill appears internally consistent with a VoteShip integration, but exercise caution before installing and supplying VOTESHIP_API_KEY: 1) Confirm the npm package (@voteship/mcp-server) exists on a trusted registry (npmjs.org), review its publisher, recent release history, and package contents (bin scripts). 2) Verify the service homepage/docs (https://voteship.app/docs) and that the package maps to the official project. 3) Only provide an API key scoped to the minimal project and rotate it after testing; avoid giving long‑lived global keys when a project‑scoped key is possible. 4) Review any webhook endpoints you configure and monitor audit logs for unexpected activity. If you cannot verify the npm package publisher or the service origin, treat installation as higher risk.
Review Dimensions
- Purpose & Capability
- okName, description, and required environment variables (VOTESHIP_API_KEY, VOTESHIP_PROJECT_SLUG) align with a feature‑request / board management integration. The declared node package (@voteship/mcp-server) that provides a voteship-mcp binary is consistent with a CLI helper for the service.
- Instruction Scope
- okSKILL.md contains only VoteShip-related actions (listing/creating/updating posts, votes, tags, webhooks, analytics, AI triage) and references the two declared env vars. It does not instruct the agent to read unrelated system files, arbitrary environment variables, or exfiltrate data to third‑party endpoints beyond configuring webhooks (which is a documented VoteShip feature).
- Install Mechanism
- noteThe install uses an npm package (@voteship/mcp-server) which is an expected distribution method for a Node CLI, but npm installs are moderate risk because they introduce third‑party code onto the system. No direct URL downloads or archives are used (good). Verify the package publisher and contents before installing.
- Credentials
- noteOnly two env vars are required, which matches the skill's purpose. However, the VOTESHIP_API_KEY is a high‑privilege credential (admin access according to the docs) that grants full project control (create/delete posts, configure webhooks, update users, sync MRR). Requesting this single key is proportionate to admin functionality but carries elevated risk if misused.
- Persistence & Privilege
- okThe skill does not request always:true and does not ask to modify other skills or system configs. It will install a binary via npm (own artifact) but does not require persistent platform privileges beyond normal installation.