Skillv1.0.0

ClawScan security

Local Life · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 17, 2026, 11:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only dashboard that fetches public weather, currency and holiday APIs for a given city; its requests and behavior are consistent with that purpose and it asks for no credentials or installs.
Guidance: This skill is instruction-only and uses public APIs (wttr.in, economia.awesomeapi.com.br, date.nager.at) to build a local dashboard, and it requests no secrets — that is generally safe and coherent with its description. Before installing, consider: 1) The skill will make outbound network requests containing the city name (and current date/time) to public endpoints — if you need to avoid any outbound calls or logging of query data, do not enable it. 2) The AQI step is vague: it instructs the agent to use a 'search tool (e.g., Brave API)'; confirm which browsing/search tool the agent will actually use and whether you trust it to perform web queries. 3) If you expect a different default city than Goiânia, note the skill defaults to Goiânia when no city is provided. 4) The skill has no rate-limit or error-handling guidance — expect possible failures if upstream APIs change or become rate-limited. If those behaviors are acceptable, the skill is consistent and proportionate to its stated purpose.

Purpose & Capability: okThe name/description (local dashboard for weather, AQI, currency, holidays) matches the runtime instructions: it calls wttr.in for weather/astronomy, economia.awesomeapi.com.br for exchange rates, and date.nager.at for holidays. No unrelated credentials, binaries, or install steps are requested.
Instruction Scope: noteInstructions are narrowly scoped to collecting public data for a city and formatting a dashboard. One minor vagueness: the AQI fallback directs the agent to use a 'tool de pesquisa (como a API da Brave)' to query 'qualidade do ar em {CIDADE} hoje' — this is ambiguous about which search/browsing tool will be used and could result in arbitrary outbound web requests depending on the agent's available tools. Otherwise the curl calls and JSON fields targeted are appropriate and proportional.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This is low-risk since nothing is written to disk by the skill bundle itself.
Credentials: okThe skill requires no environment variables, credentials, or config paths. All external requests use public unauthenticated APIs appropriate for the stated functionality.
Persistence & Privilege: okalways is false and the skill does not request persistent system privileges or modify other skills/config. Autonomous invocation is permitted by default but is not combined with broad credential access.