Back to skill
Skillv1.1.0
ClawScan security
elizaOS Cloud · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 2:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and requested environment variable (ELIZACLOUD_API_KEY) are coherent with its stated purpose of managing elizaOS Cloud; only minor documentation/metadata omissions are present.
- Guidance
- This skill appears to do what it says: it manages elizaOS Cloud via the API and requires only ELIZACLOUD_API_KEY. Before installing or running: (1) inspect the included script (scripts/elizacloud-client.sh) yourself — it is a plain bash client that makes API calls and does not exfiltrate other data; (2) ensure you trust elizacloud.ai (the skill will send your API key to that domain); (3) note small metadata omissions — the script expects curl and python3 (and optionally jq) but the registry metadata lists no required binaries, so ensure those tools are available before running; (4) verify the correct base URL for your account (SKILL.md uses https://elizacloud.ai/api/v1 while the reference file sometimes shows https://www.elizacloud.ai); and (5) treat the ELIZACLOUD_API_KEY like any secret: only provide a key with appropriate, minimal permissions and rotate it if exposed. If you need reduced risk, run the CLI in an isolated environment or with a scoped test API key first.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: SKILL.md and the included CLI script call elizacloud.ai API endpoints and require an ELIZACLOUD_API_KEY. The requested environment variable is appropriate for a cloud API management skill.
- Instruction Scope
- noteRuntime instructions and the bash client operate solely against the elizaOS Cloud API and do not instruct reading unrelated files or exfiltrating data. Minor inconsistencies: the long references file occasionally uses https://www.elizacloud.ai (with www) while SKILL.md and the script use https://elizacloud.ai (no www). The SKILL.md examples and script are narrowly scoped to API operations.
- Install Mechanism
- okNo install spec (instruction-only) and included script is a simple bash wrapper. Nothing is downloaded or written to disk by an installer. Presence of a runnable script without an install step is expected for a CLI helper.
- Credentials
- noteOnly ELIZACLOUD_API_KEY is required, which is proportionate to the described functionality. The script also honors ELIZACLOUD_BASE_URL for overrides. No extra unrelated credentials are requested.
- Persistence & Privilege
- okalways:false and no indications the skill will persistently modify agent/system configuration or other skills. It does not request elevated or always-present privileges.