Back to skill
Skillv1.0.1
ClawScan security
omadeus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewFeb 15, 2026, 12:54 PM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's documentation and runtime instructions are internally inconsistent (references a different domain and Trello credentials while claiming to manage Omadeus), so you should not trust it without clarification.
- Guidance
- Do not install or provide any API keys yet. Ask the publisher to explain: (1) why the SKILL.md targets milestone.xeba.ir instead of omadeus.com, (2) why the notes mention Trello and API tokens, (3) which environment variables or credentials the skill actually needs and where they'll be sent, and (4) to provide realistic, correct curl examples (standard HTTP verbs like GET/POST) and a trustworthy endpoint (official Omadeus domain). If you must test, do so in a sandbox account with limited permissions and rotated credentials, and avoid supplying production API keys until the inconsistencies are resolved.
Review Dimensions
- Purpose & Capability
- concernThe skill is named and described as an Omadeus REST API integration, but the SKILL.md shows curl calls to https://milestone.xeba.ir/... (not omadeus.com) and contains text referring to Trello (API key/token) — credentials and endpoints don't match the stated purpose.
- Instruction Scope
- concernThe runtime instructions tell the agent to run curl against an unexpected external domain and to use a nonstandard HTTP verb ('-X LIST'). They also mention API keys/tokens and rate limits but give no guidance on which environment variables or secure storage to use. The doc's examples and notes appear copy-pasted and out-of-scope.
- Install Mechanism
- okNo install spec and no code files (instruction-only). That reduces disk/installation risk — nothing is downloaded or written by an installer.
- Credentials
- concernThe skill declares no required environment variables or primary credential, yet the README warns about API key/token access to a Trello account. This mismatch means the skill may expect secrets but does not declare or justify them.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated persistence. It is user-invocable and allows autonomous invocation by default (normal). It does not declare modifications to other skills or system-wide configs.