Skillv1.2.2

ClawScan security

SolidClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 2:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, required tools, and requested environment variables are coherent with its stated purpose (interacting with SOLID Pods); nothing in the files appears to perform unexpected exfiltration or require unrelated credentials.
Guidance: This skill appears to do what it says: a Node CLI using Inrupt libraries to operate on SOLID Pods via client-credentials OIDC. Before installing, confirm you set the correct environment variable names (the code expects SOLID_OIDC_KEY; README mentions SOLID_CLIENT_SECRET) and only provide credentials you trust to operate against your chosen Identity Provider. If you plan to use pod provisioning or area-request features, review the commands it will print/run and ensure you understand any registration POSTs are performed from your shell (the skill prints curl instructions rather than executing them). If you need absolute assurance, inspect the scripts locally (they're included) and run npm install in an isolated environment before granting access to production credentials.

Review Dimensions

Purpose & Capability: okName/description (SOLID pod operations) align with what is installed and requested: node is required and the skill asks for SOLID_IDP, SOLID_CLIENT_ID, and SOLID_OIDC_KEY which are the expected client-credentials values for SOLID/OIDC access. The CLI entrypoint (scripts/solidclaw.js) and use of @inrupt libraries match the described capabilities. Minor documentation inconsistency: README examples refer to SOLID_CLIENT_SECRET while the code and SKILL.md use SOLID_OIDC_KEY.
Instruction Scope: okSKILL.md and the scripts instruct the agent to run node {baseDir}/scripts/solidclaw.js and perform explicit SOLID operations (read, write, list, acl, pod provisioning). The runtime instructions limit actions to SOLID endpoints and local CLI invocation; the skill promises to prompt/confirm before destructive or sensitive operations. No instructions ask for unrelated system files or unrelated environment credentials. Small doc discrepancy: README mentions an MCP server scaffold file (mcp-server.js) that is referenced but not present in the manifest.
Install Mechanism: okNo remote download or opaque install step is included; installation is the standard 'npm install' in the baseDir using the package.json that lists well-known @inrupt dependencies. There are no extract-from-arbitrary-URL steps or custom install hosts.
Credentials: okThe required environment variables map to a client credentials OIDC flow (IDP, client id, client secret/key) which is proportionate to interacting with protected SOLID pods. The primary credential (SOLID_IDP) is reasonable. The only concern is inconsistent naming across docs (SOLID_CLIENT_SECRET vs SOLID_OIDC_KEY) which is a usability/confusion risk but not an indication of extraneous credential requests.
Persistence & Privilege: okThe skill does not request always:true, does not write to system config, and does not ask for other skills' credentials or system-level paths. It runs as a normal invocable skill and performs operations only on the user's SOLID pod resources.