Skillv1.1.2

ClawScan security

Coupler.io · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 3:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent with its stated purpose: it instructs the agent to use the mcporter CLI and OAuth to query Coupler.io MCP endpoints and does not request unrelated credentials or installs.
Guidance: This skill is internally consistent, but take the usual precautions for OAuth-based connectors: (1) install mcporter only from a trusted source and, if possible, review its repo/code; (2) be aware mcporter will persist OAuth tokens to config/mcporter.json — protect that file (restrict filesystem permissions) or use an isolated environment if you don't want tokens on your main machine; (3) queries are read-only but can return sensitive data, so avoid running broad queries without reviewing results; (4) after use, you can revoke tokens from your Coupler.io account and delete the local config file if desired; (5) verify the endpoints (auth.coupler.io and mcp.coupler.io) against official Coupler.io docs if you need extra assurance.

Review Dimensions

Purpose & Capability: okName/description match the instructions: the skill expects the mcporter CLI and a Coupler.io account and only details commands against auth.coupler.io and mcp.coupler.io. There are no unrelated binaries, environment variables, or config paths required.
Instruction Scope: noteSKILL.md keeps to the connector's scope (authenticate via OAuth, persist mcporter config, run mcporter call commands to list flows, get schemas, and run read-only queries). It does instruct storing OAuth tokens in config/mcporter.json and suggests manually editing that file to add "auth":"oauth" if needed — this is within scope but means sensitive tokens will be written to disk and the user should be aware.
Install Mechanism: okInstruction-only skill: no install spec or remote downloads. The only external dependency is the mcporter CLI (user-provided), so the skill itself does not write code or fetch artifacts.
Credentials: noteThe skill declares no env vars or credentials (proportionate). However, runtime use requires OAuth tokens which are persisted to config/mcporter.json — this is expected for a connector but represents sensitive material that will reside on disk.
Persistence & Privilege: okalways:false and normal autonomous invocation. The only persistence the instructions describe is saving OAuth tokens to the mcporter config file (local to the tool), which is appropriate for this kind of connector and does not change other skills or global agent settings.