Back to skill
Skillv1.0.4
ClawScan security
Linkfuse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 2:35 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable match its stated purpose (creating Linkfuse affiliate short links) and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears to do exactly what it says: it uses the LINKFUSE_TOKEN you provide to call Linkfuse's API and create a short/affiliate link. Before installing, ensure the token you provide is from https://app.linkfuse.net/user/external-token and is stored securely (don't commit it to repos or share shells). The skill will make network requests to app.linkfuse.net and prints results to stdout; it does not request other credentials or access unrelated files. If you have concerns, inspect the included scripts (they are small and readable) and consider using a limited/rotatable token you can revoke if needed.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the skill only needs a Linkfuse bearer token and posts to Linkfuse's API to create short links. No unrelated services, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md accurately documents runtime behavior: it requires LINKFUSE_TOKEN, asks for a URL, runs the included Node script, and prints the resulting short URL. Instructions do not ask the agent to read unrelated files or exfiltrate extra data.
- Install Mechanism
- okNo install spec; this is instruction-only with two small included Node scripts. There are no downloads from untrusted URLs or archive extraction steps.
- Credentials
- okOnly LINKFUSE_TOKEN is required (declared). The token is necessary and sufficient for the described API calls; no other secrets, credentials, or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system settings. It does perform normal network calls to app.linkfuse.net using the provided token.