Skillv1.0.5

ClawScan security

Useclick Link Shortening Analytics · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 4:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, files, and behavior are consistent with a UseClick API integration helper; it asks for typical API usage (an API key) and contains no unrelated requests or risky install steps.
Guidance: This skill appears to be a straightforward integration helper for the UseClick API. Before installing, be aware it will expect you (or downstream code) to provide a UseClick API key and to use it in an Authorization: Bearer header — the skill metadata omits declaring that credential but the instructions depend on it. Only grant the UseClick API key (not other unrelated credentials), and consider limiting the key's permissions if UseClick supports scoped keys. Because the skill is instruction-only (no install), it won't write code to disk, but an agent with this skill can make network calls using whatever credentials you provide — review the short URLs and analytics returned and avoid giving broader long-lived secrets unless necessary.

Review Dimensions

Purpose & Capability: okName and description (UseClick link shortening & analytics) match the included instructions and reference docs. All endpoints, flows, and features described are directly relevant to building integrations with the UseClick API.
Instruction Scope: okSKILL.md and reference files stay within scope: they describe verifying an API key, calling UseClick endpoints, handling rate limits, and mapping features to plans. There are no instructions to read arbitrary local files, exfiltrate data, or call external services other than the documented UseClick endpoints. One minor note: examples reference an environment variable ($USECLICK_API_KEY) and Authorization header usage, which is appropriate, but the skill does not declare required env vars in the metadata (see environment_proportionality).
Install Mechanism: okNo install spec and no code files are present; this is an instruction-only skill that makes network calls at runtime. That is the lowest-risk install model and matches the described purpose.
Credentials: noteThe guidance clearly expects the user to supply a UseClick API key (examples use Authorization: Bearer and $USECLICK_API_KEY), but the skill metadata does not declare a primary credential or required env vars. This is a documentation/metadata omission rather than an attempt to access unrelated credentials: only a UseClick API key is implied and that is proportional to the skill's function.
Persistence & Privilege: okalways is false, the skill is user-invocable, and it does not request persistent system-wide privileges or attempt to modify other skills' configs. Autonomous invocation is allowed by default (disable-model-invocation is false) but that is expected for skills of this type.