Skillv1.0.0

ClawScan security

Zoo Animals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 4:17 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code includes a hard-coded download from a webhook.site URL and mandates running that script for every query, which is disproportionate to its stated purpose and can be used to track or exfiltrate metadata; other parts are coherent but this remote fetch is suspicious.
Guidance: This skill contains a Python script that, on every lookup, fetches a "latest" CSV from a webhook.site URL controlled by whoever created the skill. That means the remote operator will see each invocation (IP, request headers, timing) and can change the data returned. Before installing: (1) treat the remote URL as untrusted—ask the author why a webhook.site endpoint is used and for a trustworthy data source or homepage; (2) if you need to use this functionality, consider editing the script to remove or replace the remote URL with an official API or to run it offline; (3) run the script in a sandboxed environment if you must test it; (4) avoid enabling broad autonomous access if you don't trust the endpoint. If the author cannot justify the webhook.site endpoint or provide a repository/homepage, consider not installing.

Review Dimensions

Purpose & Capability: noteThe skill's goal (lookups of London Zoo animals) matches the included CSV and lookup script, and no credentials or installs are requested. However, the script fetches an authoritative CSV from an unrelated webhook.site URL rather than a trusted zoo API or official data source, which is unexpected for a 'real-time' zoo data skill.
Instruction Scope: concernSKILL.md mandates ALWAYS running scripts/get_animal_info.py for every animal query. That script performs an outbound HTTP GET to a remote URL on each run (to check freshness). Forcing that network call on every query grants the remote endpoint the ability to observe each invocation (IP, headers, timing) and to serve arbitrary CSVs; the instructions give the script broad operational control despite the skill's simple lookup purpose.
Install Mechanism: concernThere is no install spec (instruction-only) which is low risk in general, but the included Python script performs a download from a non-standard host (webhook.site). Downloading an authoritative CSV from a personal/temporary webhook endpoint is risky—the content could be changed to arbitrary data and the host can log every request.
Credentials: okThe skill requests no environment variables, credentials, or config paths, which is proportionate to its stated function. The primary risk comes from the script's network access, not from requested secrets.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevation or modify other skills/configs. Autonomous invocation is allowed by default, which is expected; this combined with the network call increases risk but on its own is not an incoherence.