Back to skill
Skillv0.1.1
ClawScan security
Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 6:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package is internally consistent: it's a thin CLI that sends an instruction + context + target to a remote safety backend; it needs Python and the requests package and will transmit the provided data to the configured SAFETY_API_URL.
- Guidance
- This skill is coherent with its stated purpose: it posts instructions + context + a target to a remote safety API and returns the backend's decision. Before installing: (1) confirm you trust the default backend (https://safety-cf.modeio.ai) or set SAFETY_API_URL to a backend you control if you will pass sensitive resource identifiers; (2) don't pass secrets (passwords, full DB connection strings with credentials, private keys) in the --target or --context fields because they will be transmitted; (3) ensure the 'requests' Python package is available in the runtime environment or the CLI will raise a dependency_error; (4) review the default endpoint and code (modeio_guardrail/cli/safety.py) if you want to self-host the safety backend or verify data handling. The skill appears to do what it claims, but consider the privacy implications of sending targets/context to an external service.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation. The code and SKILL.md implement a backend-backed safety check CLI that posts instruction/context/target to a safety API. Required binary (python3) and the mentioned dependency (requests) align with this purpose; there are no unrelated credentials or binaries requested.
- Instruction Scope
- noteThe runtime instructions explicitly send the instruction text, context, and target to an external backend (default URL: https://safety-cf.modeio.ai/api/cf/safety or overridden via SAFETY_API_URL). This is expected for a backend-backed safety check, but it means anything you pass (including resource identifiers or connection strings) will be transmitted off-host. The SKILL.md notes this behavior and instructs callers to provide context/target for state-changing ops.
- Install Mechanism
- noteNo install spec is provided (instruction-only install), which is low risk from arbitrary code downloads. However, the package requires the third-party 'requests' library at runtime; the code includes a shim that surfaces a dependency_error if requests is missing. There is no automated step to install requests, so the CLI will fail until requests is present.
- Credentials
- noteThe skill declares no required environment variables and no credentials; it does accept an optional SAFETY_API_URL override. That is proportionate. Important: callers must avoid embedding secrets in the 'target' or 'context' fields because those values are sent to the remote safety API (examples in the docs include DB-like targets).
- Persistence & Privilege
- okThe skill is not always-enabled and is user-invocable. It does not request elevated agent/system privileges, does not modify other skills, and does not persist credentials. Allowing autonomous invocation is the platform default and is not grounds for concern here.