Skillv0.0.3

ClawScan security

Reddit Explore · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:46 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested environment variable (APIFY_TOKEN) are consistent with its stated purpose of searching Reddit via the Apify actor; no disproportionate permissions or surprising installs are present, but the package has no homepage and an unknown source so verify provenance before use.
Guidance: This skill appears to do what it says: it runs a small Python script that uses your Apify API token to call the trudax/reddit-scraper-lite actor and returns Reddit posts for summarization. Before installing: 1) Verify provenance — the package has no homepage and an unknown source; if you don't trust the publisher, inspect the included files (scripts/reddit_search.py and references) yourself. 2) Understand the credential you provide: APIFY_TOKEN grants access to your Apify account and may incur costs; use a token with limited permissions if possible and monitor billing. 3) Confirm you are comfortable installing the apify-client Python package via pip. 4) Be aware scraped Reddit content is public but may contain personal data — consider privacy needs before aggregating or sharing results. 5) Because disable-model-invocation is true, the model won't call this skill autonomously; if you later enable autonomous use, reassess permissions and provenance. If you want higher assurance, request the publisher's homepage or a signed/reviewed release, or review the apify actor (trudax/reddit-scraper-lite) on Apify to confirm expected behavior.

Review Dimensions

Purpose & Capability: okThe skill claims to search Reddit and summarizes results. The included script calls Apify via apify-client and uses APIFY_TOKEN — exactly what you'd expect for an Apify-based Reddit scraper. Required binary (python3) and primaryEnv (APIFY_TOKEN) align with the stated functionality.
Instruction Scope: okSKILL.md limits actions to running the included reddit_search.py script, reading its JSON output, and summarizing posts. It does not instruct the agent to read unrelated files, access other environment variables, or transmit data to unknown endpoints. Error handling and setup guidance are narrow and relevant.
Install Mechanism: okThis is instruction-only with an included small Python script; there is no install spec that downloads or executes arbitrary remote archives. The only runtime dependency is the apify-client Python package, which the SKILL.md instructs the user to install via pip if missing.
Credentials: okOnly APIFY_TOKEN is required and is justified because the script uses Apify's API. No unrelated secrets or multiple credentials are requested. The SKILL.md and script both reference APIFY_TOKEN and no additional environment variables are accessed.
Persistence & Privilege: okThe skill is not set to always:true and registry metadata shows disable-model-invocation:true, limiting autonomous invocation — this reduces risk. The skill does not request writing to other skills' config or system-wide settings.