Skillv0.1.0

ClawScan security

ArXiv Semantic Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 6:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required resources, and credential flow are consistent with a RobinSignal-powered ArXiv semantic search; nothing requested is disproportionate to the described purpose.
Guidance: This skill appears to be what it claims: a RobinSignal-backed semantic ArXiv search. Before installing, verify that the RobinSignal origin (https://www.robinsignal.com) is legitimate and matches the registry publisher, since the registry metadata here shows the source as unknown. Be aware you'll be asked to complete a sign-in/verification flow and paste a short code so the agent can obtain and store a RobinSignal API key—treat that apiKey like any sensitive credential. Confirm where your agent runtime will store the key, limit its lifetime if possible, and be ready to revoke the key on RobinSignal if you stop using the skill or see unexpected activity. Do not provide other credentials (Google/Apple/etc.), and only proceed if you trust RobinSignal and the skill owner.

Review Dimensions

Purpose & Capability: noteThe skill name, description, and runtime instructions all describe a RobinSignal-backed semantic search for arXiv and the SKILL.md only references RobinSignal endpoints and an API key flow—this is coherent. Minor inconsistency: the registry metadata lists the skill source/homepage as unknown/none while SKILL.md declares canonical origin and homepage (https://www.robinsignal.com). Verify the owner identity and that the published registry entry matches the claimed origin before trusting keys or persistent storage.
Instruction Scope: okSKILL.md confines runtime actions to calling the RobinSignal API, constructing semantic queries, and a human-assisted API key verification flow. It does not instruct the agent to read unrelated files, access unrelated env vars, or transmit data to third parties; it explicitly warns not to share the RobinSignal API key. It does suggest optionally saving the skill file locally and storing the returned apiKey securely—both reasonable but require secure storage in your environment.
Install Mechanism: okThere is no install spec and no code files; this is an instruction-only skill, which is the lowest-risk install model (nothing is written to disk by the skill itself unless your runtime chooses to store the SKILL.md).
Credentials: okThe skill declares no required environment variables or external credentials up front. The only credential it uses is a RobinSignal apiKey obtained through the documented human-assisted flow—this is proportionate to a remote API integration.
Persistence & Privilege: notealways:false (good). The skill instructs the agent to 'store the returned apiKey securely for future RobinSignal requests', which implies persistence of a service credential. Storing an API key is expected but increases long-term access surface—ensure the key is stored securely, audit where keys are kept, and be prepared to revoke the key if needed.