Skillv1.0.1

ClawScan security

e Crm Autom · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 3:23 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to be a harmless local simulation of a “space login” (what the code does) but contains metadata and documentation inconsistencies (name/slug mismatch and documented environment variables that the code does not use), so you should inspect origin and avoid providing real secrets before installing.
Guidance: This package appears to be a local simulation and the Python code is straightforward (no network calls, no external installers). However: 1) Metadata/documentation mismatch: the registry name/slug ('e Crm Autom' / e-crm-a) does not match the internal SKILL.md and filenames ('space-login'); verify the author and origin before trusting. 2) SKILL.md mentions environment variables (SPACE_API_KEY) that the code does not use — do not export or paste real API keys or secrets for this skill unless you confirm they are required. 3) If you decide to try it, run it in a sandboxed environment, inspect config.json and the code yourself, and avoid providing sensitive credentials. If you need higher assurance, ask the publisher for an explanation of the naming mismatch and for a provenance or homepage URL before installing.

Review Dimensions

Purpose & Capability: noteThe code (space_login.py) implements a local, simulated 'space login' system consistent with the SKILL.md documentation. However the registry metadata and filenames are inconsistent: the skill was presented as 'e Crm Autom' / slug 'e-crm-a' while SKILL.md and files use 'space-login'. This mismatch could be innocent (mispackaging) but is a sign to verify the source before trusting the package.
Instruction Scope: noteSKILL.md contains standard install/run instructions and example API usage that match the included code. It does, however, tell users to export environment variables (SPACE_API_KEY and SPACE_CENTER) that are not referenced by the code — the runtime only reads a local config.json. The instructions do not ask the agent to read unrelated system files or transmit data externally.
Install Mechanism: okThere is no install spec — this is instruction-plus-source. requirements.txt is empty and there are no downloads or extraction steps. Nothing in the manifest indicates an external binary or risky installer.
Credentials: concernThe manifest declares no required environment variables, but SKILL.md suggests exporting SPACE_API_KEY and SPACE_CENTER. The code does not read those env vars, so there's an inconsistency between documentation and actual behavior. This mismatch could lead users to accidentally expose secrets they think are needed — do not set or supply real API keys without verifying purpose.
Persistence & Privilege: okThe skill does not request persistent privileges (always:false), does not modify other skills or system settings, and contains only local Python code. It cannot autonomously persist beyond normal installation.