Skillv1.0.0

ClawScan security

TrustMeImWorking · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 12, 2026, 7:20 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, install steps, and runtime instructions are internally consistent with its stated purpose (simulating API token usage); however it includes optional features (JWT helper shell execution, mTLS key paths, custom gateway URLs, background daemon + scheduler) that grant broad local secret access and should be used with caution.
Guidance: This project implements exactly what it claims — a background daemon that makes frequent LLM API calls to consume tokens. Before installing, consider: - Ethical/legal: It intentionally falsifies usage metrics; using it may violate workplace policies or local law. - Secrets risk: The tool stores your API key in config.json and supports mTLS key files and a jwt_helper shell command. jwt_helper runs arbitrary shell commands before each run and could leak secrets if you point it at an untrusted script; mTLS requires supplying a private key file path which, if readable by others, is sensitive. Only use these features on machines you fully control. - Gateway URL: You can set a custom base_url; ensure it points to a trusted endpoint. A malicious relay could capture your API key and requests. - Persistence: The daemon and optional scheduler make the behavior long-lived. If you stop using it, remove scheduled jobs and delete stored keys. Practical recommendations: review the repository locally before running; keep config.json permissions tight; do not supply jwt_helper commands you didn't author; do not point base_url to unknown third-party relays; avoid using company credentials if this would violate policy. If you want to proceed safely, run with --dry-run first and inspect logs, and consider using a disposable/low-privilege API key.

Review Dimensions

Purpose & Capability: okName/description, required binaries (python), and Python dependencies (openai, requests, rich) match the stated goal of making periodic API calls and showing a dashboard. The code files implement wizard, daemon, scheduler, engine and platform presets consistent with the description.
Instruction Scope: noteSKILL.md and the wizard instruct the user to store an API key in a local config.json and to optionally configure base_url, extra headers, HTTP proxy, JWT helper, and mTLS cert/key paths. The instructions do not ask the agent to read unrelated system files, but the runtime code will (optionally) execute a user-provided shell command (jwt_helper) and read user-supplied certificate/private key file paths — both are beyond simple API calling and grant access to local secrets if configured.
Install Mechanism: okInstall spec declares only standard Python packages (openai, requests, rich) via package manager; no downloads from arbitrary URLs or extract operations are present. This is proportionate to the tool's functionality.
Credentials: noteNo environment variables are required by the registry metadata; the tool accepts an API key via config.json (expected). Optional features (jwt_helper, mtls_cert/mtls_key paths, extra_headers) legitimately support enterprise gateways, but they permit executing arbitrary shell commands and reading local private keys — powerful capabilities that can expose secrets if misused.
Persistence & Privilege: noteThe skill runs as a persistent background daemon and can install legacy scheduler entries (crontab). Persistent background execution is consistent with the purpose (continuous token consumption) but increases blast radius if misconfigured. 'always' is false and the skill does not request privileged platform-level system modifications beyond creating config/log and scheduling itself.