Skillv1.0.5

ClawScan security

Bit URL Shortener · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 6:52 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a documentation-only helper for the bit CLI and its declared requirements and install method are generally consistent with that purpose, with only minor mismatches in declared environment variables and required binaries.
Guidance: This skill is documentation-only for a CLI named 'bit' and is largely coherent, but check a few things before you install or use it: - Inspect the upstream repository (github.com/ParinLL/bit-cli) yourself before building. The SKILL.md even recommends reviewing the repo first. - The docs mention an optional BIT_API_URL (default http://localhost:4000) but the skill metadata only declares BIT_API_KEY — be aware of this mismatch and set BIT_API_URL explicitly if you need a remote service. - Building and installing to /usr/local/bin uses sudo (administrator privileges). Prefer installing to a user-local bin (~/bin) or use 'go install' into your Go bin directory if you want to avoid running commands as root. - Treat BIT_API_KEY like any secret: do not store it in shared scripts or commit it to source control; consider least-privilege API keys and rotation. - Verify the Go module and GitHub owner are trustworthy before running 'go build' or 'go install'. If you cannot verify the source, consider obtaining a prebuilt binary from a trusted release channel or avoiding installation. Given these checks, the skill appears to do what it claims and does not contain instructions that access unrelated credentials or system areas.

Review Dimensions

Purpose & Capability: okName/description (Bit URL Shortener / bit-cli docs) align with the declared needs: a 'bit' binary and an API key. The declared Go install module (github.com/ParinLL/bit-cli) and the listed binaries (bit, go, git) are appropriate for building and using a CLI.
Instruction Scope: noteSKILL.md is documentation-only and instructs building from GitHub, setting BIT_API_KEY, and optionally BIT_API_URL. It does not request access to unrelated files or secrets. Minor issue: BIT_API_URL is described as an optional env var in the docs but is not listed in the skill's declared required env variables (metadata only lists BIT_API_KEY).
Install Mechanism: okInstall uses the Go module path (go build/go install) and the repo on GitHub; this is a normal public source install path. No downloads from untrusted/personal IPs or archive extracts are present. The SKILL.md also suggests building from source and reviewing the repo first.
Credentials: noteOnly BIT_API_KEY is declared as required and is appropriate for an API client. The documentation mentions an optional BIT_API_URL but that variable is not listed in the metadata fields; this mismatch should be corrected. The skill metadata also requires 'sudo' as a binary, which is not strictly necessary for using the CLI (only for moving a built binary into /usr/local/bin during installation) — note the elevated privilege implied by that install step.
Persistence & Privilege: okThe skill does not request always: true or any persistent elevated privileges. It is user-invocable and allows autonomous model invocation (platform default), which is expected for a skill. There is no indication it tries to modify other skills or system-wide settings.