Back to skill
Skillv0.1.4
ClawScan security
Sendme · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 7:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for the sendme CLI and its requirements and instructions are consistent with that purpose.
- Guidance
- This skill is an instruction-only wrapper for the sendme CLI and appears internally consistent. Before installing or using it: (1) verify the Homebrew 'sendme' formula or the upstream repository to ensure you trust the publisher; (2) be careful what files you share—sendme transfers data directly and a ticket grants access; do not publish tickets publicly; (3) understand sendme may fall back to relay servers (check the relay operator if you need to avoid third-party relays); (4) for headless/automated use, the provided PTY pattern is reasonable but review and run it in a safe environment; and (5) treat installation of any third-party binary like installing software from the internet—check signatures, repository history, and community trust before proceeding.
Review Dimensions
- Purpose & Capability
- okName/description (peer-to-peer file transfer via sendme) match the declared requirement (the sendme binary) and the install hint (brew formula). There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md only instructs installing and invoking the sendme CLI and includes a PTY-based pattern for headless environments. It does not request reading unrelated files, other env vars, or transmitting data to unexpected endpoints. It correctly warns the sender must stay online and that relays may be used as a fallback (an expected implementation detail).
- Install Mechanism
- noteInstall spec points to a Homebrew formula named 'sendme' which is a reasonable, low-risk install mechanism. The manifest also mentions cargo install as an alternative. As with any third-party binary, users should verify the formula/source/repository and trustworthiness of the package before installing.
- Credentials
- okNo environment variables or credentials are requested. The lack of secrets is proportional to a CLI wrapper/usage guide for a peer-to-peer file transfer tool.
- Persistence & Privilege
- okSkill does not request always:true and is not force-included. It makes no persistent changes or requests elevated privileges; autonomous invocation is allowed by default but is normal for skills and not combined with other red flags here.