Back to skill
Skillv1.0.0
ClawScan security
Bing Webmaster CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 6:37 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only helper for operating a local 'bwm' CLI (Bing Webmaster); its instructions and requested actions match that purpose, but the SKILL.md references environment variables and config paths that the registry metadata did not declare — a minor metadata inconsistency worth noting.
- Guidance
- This skill appears to be a straightforward usage guide for a local 'bwm' (Bing Webmaster) CLI. Before installing or using it: 1) Verify the bwm package source (PyPI project page or upstream repo) before running pipx install or pip install -e; 2) Confirm where credentials will be stored (~/.config/bing-webmaster-cli/credentials.json) and set restrictive file permissions (600) so API keys aren't world-readable; 3) Prefer injecting BING_WEBMASTER_API_KEY via CI secrets or ephemeral env variables rather than pasting into shared machines; 4) Check BWM_API_BASE_URL if you must override it — ensure it points to Microsoft endpoints, not a custom host; 5) Note the metadata omission: the SKILL.md references env vars and config paths that the registry did not declare — treat that as a documentation/metadata mismatch and verify the CLI behavior locally before granting credentials.
Review Dimensions
- Purpose & Capability
- okName/description match the content: the skill documents use of a local 'bwm' CLI for API key setup, auth, site listing, stats, index checks and URL submission. Nothing in the instructions asks for unrelated cloud or system privileges.
- Instruction Scope
- concernSKILL.md instructs the agent/operator to set/use environment variables (BING_WEBMASTER_API_KEY, BWM_* overrides) and read/write config files under ~/.config/bing-webmaster-cli — but the skill metadata declared no required env vars or config paths. Instructions otherwise stay within the CLI's scope and do not request unrelated data exfiltration or external endpoints.
- Install Mechanism
- okNo install spec in the registry; the SKILL.md recommends standard pipx/pip installation commands. There are no downloads from arbitrary URLs or extract steps in the skill itself.
- Credentials
- noteThe skill describes using/storing a Bing Webmaster API key and lists env overrides and credential/config file paths — this is proportional to the stated purpose. However, the registry metadata did not list these env vars or config paths as required, creating a mismatch the user should be aware of.
- Persistence & Privilege
- okSkill is instruction-only, not always-enabled, and does not request persistent or elevated platform privileges. It does reference storing credentials under the user's config directory (expected for a CLI).