Skillv1.0.0

ClawScan security

BirdWeather · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 20, 2026, 5:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, documentation, and runtime behavior align: it queries the public BirdWeather API and requires no credentials or unusual privileges.
Guidance: This skill appears to do exactly what it claims: call the public BirdWeather API and print results. If you plan to run it, consider running in a controlled environment (or inspect the script locally) because it does make outbound HTTPS requests to app.birdweather.com. Do not provide any credentials (none are needed). If you expected a hosted/official source or a homepage for the skill, ask the publisher for provenance; lack of a homepage means you should verify the origin before granting broad runtime privileges in sensitive environments.

Purpose & Capability: okName/description state the skill fetches BirdWeather station data and the code/README only contact https://app.birdweather.com/api/v1 for public station/species/detection endpoints — nothing else is requested.
Instruction Scope: okSKILL.md and the CLI only instruct running the included script with station IDs and optional period/limits. Neither the docs nor the code attempt to read local files, environment secrets, or send data to unexpected endpoints.
Install Mechanism: okThere is no install spec and the bundled Python script uses only the standard library (urllib). No external packages, downloads, or archive extraction are used.
Credentials: okThe skill declares no required environment variables or credentials and the code does not access any. It only makes network requests to the documented BirdWeather API, which is appropriate for the stated purpose.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system settings, and requires no persistent credentials or filesystem changes.