Back to skill
Skillv1.0.0
ClawScan security
Ebusy Courts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 12:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to do exactly what it claims (a small Python client that logs into eBusy and fetches reservations); its code is straightforward and requests credentials only for the eBusy service, but there are minor metadata/dependency declaration omissions to be aware of.
- Guidance
- This skill's code is simple and matches the description, but before installing: (1) be prepared to provide eBusy credentials (EBUSY_BASE_URL, EBUSY_USERNAME, EBUSY_PASSWORD, EBUSY_COURT_ID) — the registry metadata does not list these, so don't be surprised when the script requires them; (2) run it in a virtualenv and pip install requests and beautifulsoup4 as SKILL.md suggests; (3) keep any .env or credential files local and out of published repos; (4) verify the base URL you set (the script has a default BASE_URL pointing to a real hall — if you don't set EBUSY_BASE_URL you may query that endpoint unintentionally); and (5) if you allow an agent to call this skill autonomously, ensure the agent is only given the specific hall credentials you want it to use (no broad or shared secrets).
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description match the code: it logs into eBusy instances and fetches reservations. The only mismatch is that the registry metadata lists no required environment variables even though the client requires EBUSY_BASE_URL, EBUSY_USERNAME, EBUSY_PASSWORD, EBUSY_COURT_ID (and optionally EBUSY_FIRST_COURT_NO). Requesting those credentials is proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent/user to set the eBusy-related environment variables and run the Python script; the instructions do not ask to read unrelated files, access unrelated services, or exfiltrate data. The agent usage guidance keeps decision logic out of the skill code as intended.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). The code depends on third-party Python packages (requests, beautifulsoup4) which are not declared in registry metadata; SKILL.md mentions installing them in a venv, but the registry does not record these dependencies.
- Credentials
- noteThe environment variables the skill uses (EBUSY_BASE_URL, EBUSY_USERNAME, EBUSY_PASSWORD, EBUSY_COURT_ID, EBUSY_FIRST_COURT_NO) are appropriate for accessing eBusy. However, the registry incorrectly lists 'none' for required env vars — the missing metadata could mislead users about what secrets are needed.
- Persistence & Privilege
- okNo elevated persistence is requested (always: false). The skill does not attempt to modify other skills or system config; it only reads environment variables and performs HTTP requests to the configured eBusy instance.