Back to skill
Skillv1.0.0
ClawScan security
api-documenter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:49 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only API documentation assistant and its declared behavior, requirements, and scope are consistent with that purpose.
- Guidance
- This instruction-only skill appears coherent for API documentation tasks and does not request credentials or install code. Before using it: be prepared to provide API specifications, host endpoints, and any credentials securely (the skill will need them to enable try-it-out or auth testing); do not paste secrets into chat unless you trust the session; watch for any later prompts that ask to download or run external code or to send your API keys to unknown endpoints. If you need the skill to test live endpoints, supply scoped/test credentials and verify any generated example code before using it in production.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md instructions: creating OpenAPI specs, examples, interactive docs, and guides. The skill does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- noteThe SKILL.md contains broad, high-level steps for cataloging endpoints, writing specs, and adding interactive features. It references querying a 'context manager' and collaborating with other agents/roles — this is consistent with documentation work but is somewhat vague about what exact inputs (API specs, host URLs, credentials) the agent will read from the environment or request from the user.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only so nothing is written to disk and no third-party packages are installed.
- Credentials
- noteThe skill does not declare or require any environment variables or credentials. In practice, enabling features like try-it-out or authentication testing will require the API host and credentials supplied at runtime — those are not requested in the SKILL.md, which is acceptable but means the agent will rely on externally provided context/credentials.
- Persistence & Privilege
- okThe skill does not request permanent/always-on inclusion, does not modify other skills or system-wide settings, and relies on normal, user-invoked or autonomous invocation behavior.