Skillv1.0.0

ClawScan security

Robotaxi Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 12, 2026, 3:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with its stated purpose (scraping robotaxitracker.com and querying its public Convex backend); it performs only site and backend HTTP queries and local text processing, requests no secrets, and has no install steps.
Guidance: This skill is coherent with its stated purpose: it downloads robotaxitracker.com HTML/JS into /tmp, scans the bundles for API endpoints, and issues HTTP queries to the public Convex backend(s) found there using curl/jq/rg. It does not ask for credentials. Before installing, consider: (1) the skill will make outbound HTTP requests to robotaxitracker.com and any backend host discovered in the site JS (your network/firewall policies may want to block or log this); (2) it writes temporary files to /tmp (no persistent installs); and (3) if you are in a restricted environment, verify that executing these network probes is allowed. If any of those are concerns, review the SKILL.md and run the commands manually in a controlled environment instead of enabling autonomous invocation.

Purpose & Capability: okName and description match the instructions: the SKILL.md describes fetching the site, downloading frontend JS bundles, discovering public Convex backend hosts in those bundles, and querying those public APIs to extract counts. The declared requirements (curl, rg, jq) are proportional and necessary for that workflow.
Instruction Scope: noteInstructions are explicit and scoped to fetching robotaxitracker.com HTML/JS, scanning those bundles for API/Convex hosts, and probing discovered hosts with specific JSON queries. This stays within the stated purpose, but it will actively contact any hosts referenced in the downloaded JS (e.g., convex.cloud hosts discovered in bundles), which may be non-obvious to some users or organization network policies.
Install Mechanism: okNo install spec and no code files — instruction-only skill. Nothing is written to system install locations; temporary files are written under /tmp as part of the workflow.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. All required tools are appropriate for the tasks described; there is no request for unrelated secrets or elevated credentials.
Persistence & Privilege: okalways is false and there is no installation or self-modifying behavior. The skill does not request persistent system privileges or modify other skills' configuration.