Skillv1.0.0

ClawScan security

Mission Control - ClawDash Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 5:33 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill whose content and requirements align with its stated purpose (generating publish-ready wiring instructions for ClawDash Pro → Open Cloud); it does not install code or request credentials itself, but it explicitly guides users to supply and transmit integration credentials to Open Cloud — so users should be careful when handing over secrets or production endpoints.
Guidance: This skill is instruction-only and appears coherent for producing integration docs. Before using it, review the generated instructions manually: do not paste production API keys or secrets into publicly-accessible files or documentation, and do not include secrets in any copy-paste blocks unless you trust the receiving party. The skill's Open Cloud prompt explicitly asks for a change summary that may list endpoints and env var names — ensure those outputs do not leak secret values. Test wiring in a staging environment, redact or use short-lived credentials when handing data to Open Cloud, and confirm Open Cloud's security/trustworthiness before sharing production credentials or routes.

Review Dimensions

Purpose & Capability: okThe name/description match the SKILL.md and reference material: the skill's sole purpose is to author step-by-step integration documentation for connecting a prebuilt Next.js UI (ClawDash Pro) to Open Cloud. It does not request unrelated binaries, credentials, or system-level access.
Instruction Scope: noteInstructions are narrowly focused on producing documentation and include a copy-paste prompt the user should send to Open Cloud. The document instructs users to prepare API keys, workspace IDs, and .env values — it does not instruct the agent to read local files or secrets. However, the provided Open Cloud prompt asks Open Cloud to return a change summary listing wired endpoints and env vars, which could encourage sharing sensitive information with an external service; this is a user-facing risk to be managed by the customer.
Install Mechanism: okNo install spec and no code files that would be written to disk; this is low-risk from an install/remote-code perspective (instruction-only).
Credentials: noteThe skill itself does not request environment variables or credentials. The template and instructions, however, explicitly tell users to populate `.env.local` with API keys, workspace/organization IDs, and base URLs and to include those in the handoff to Open Cloud. Those credentials are proportionate to the described integration, but handing them to another service has privacy/security implications the user should consider.
Persistence & Privilege: okThe skill does not request permanent presence (always: false), does not modify other skills or global agent settings, and does not enable autonomous privileged behavior beyond normal agent invocation.