Back to skill
Skillv1.0.2
ClawScan security
space-login · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 3:10 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a self-contained simulation skill (local Python code) that matches its stated purpose; documentation contains minor inconsistencies but there are no signs of hidden network exfiltration or secret access.
- Guidance
- This skill is a local simulator: the Python files implement an in-memory 'space login' experience and do not contact external services or read secrets. Notes before installing/running: 1) SKILL.md mentions environment variables (SPACE_API_KEY) that the code does not use — treat those as examples only. 2) The package has no external dependencies or installers, but you should still inspect config.json before running to ensure no sensitive values are present. 3) If you want extra assurance, run the examples in a sandbox or isolated environment; otherwise it appears safe for learning/entertainment use.
Review Dimensions
- Purpose & Capability
- okThe name/description (simulated space login/auth) aligns with the provided Python implementation: SpaceLogin is a local simulator that manages in-memory login/logout/status. No unrelated cloud services, binaries, or credentials are requested by the code.
- Instruction Scope
- noteSKILL.md instructs typical install/use steps and CLI/Python usage that map to the code. The docs mention example environment variables (SPACE_API_KEY, SPACE_CENTER) and a config.json, but the Python code does not read those environment variables — it reads a local config file or falls back to built-in defaults. This is a documentation mismatch (misleading but not harmful).
- Install Mechanism
- okThere is no install spec and requirements.txt is empty. The README/SKILL.md suggest pip installing requirements (a no-op here). No downloads, external installers, or archive extraction are present.
- Credentials
- noteRegistry metadata lists no required env vars and the package does not request secrets. However, SKILL.md shows example environment variables which are not required or consumed by the code — a documentation inconsistency. No config paths or credentials are accessed by the code.
- Persistence & Privilege
- okSkill does not request 'always' presence and does not modify system or other skills. It runs as a local library/CLI with no autonomous or privileged side effects.