Back to skill
Skillv1.0.1
ClawScan security
Singapore Maid Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 6:45 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements align with its stated purpose: it runs a local Node script that queries Sunrise Link's public search API with user-provided filters and does not request unrelated credentials or install arbitrary software.
- Guidance
- This skill appears internally consistent and only performs unauthenticated queries to Sunrise Link's public search API using a bundled Node script. Before installing, verify you trust the sunrise-link.sg domain (network calls will be made to it), and confirm you are comfortable the agent can call the external API when invoked. The skill explicitly avoids returning PII and directs users to the official site for contact details. If you require stricter controls, run the script in an isolated environment or review the included search_maids.mjs file yourself to confirm it meets your policies.
Review Dimensions
- Purpose & Capability
- okName/description match the implemented behavior. The included script constructs a query from user filters and fetches results from https://www.sunriselink.sg/api/public/v1/helpers — this is consistent with a maid-search skill.
- Instruction Scope
- okSKILL.md instructs the agent to collect structured filters or run a guided two-round question flow, then call the local search tool and format results. It explicitly forbids returning PII and points users to the official profile URL for contact details. Instructions do not ask the agent to read unrelated files, environment variables, or system state.
- Install Mechanism
- okNo install spec or external downloads are used. This is an instruction-only skill with one included Node script (no third-party dependencies). No archives or remote code pulls are executed during runtime.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The script makes unauthenticated HTTPS requests to the Sunrise Link public API and does not require secrets — the requested access is proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request permanent presence or attempt to modify other skills or agent-wide settings. It runs the local script on invocation only.