Back to skill
Skillv1.0.0
ClawScan security
Padel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 11:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, installation guidance, and requested artifacts are consistent with its stated purpose (using the padel-tui CLI to search and book Playtomic courts); nothing appears disproportionate or unrelated.
- Guidance
- This skill is coherent for using the padel-tui CLI to book Playtomic courts. Before installing: (1) confirm you want the agent to run install commands (the skill requires explicit user approval before installing), (2) verify the Homebrew tap and GitHub release you download come from a trusted source (check publisher and checksums/signatures when available), and (3) be aware the CLI stores session tokens at ~/.config/padel-tui/session.json — do not paste credentials into chat; use the interactive `padel-tui auth login` flow as instructed. If you prefer, you can install the CLI yourself and let the skill use your existing binary. If you have any doubt about the third-party Homebrew tap or release provenance, install from source or skip installation and perform bookings manually.
Review Dimensions
- Purpose & Capability
- okThe name/description describe CLI-based Playtomic bookings and the SKILL.md and INSTALLATION.md exclusively reference installing and running the padel-tui CLI, searching, booking, listing matches, and canceling matches. No unrelated credentials, services, or binaries are requested.
- Instruction Scope
- okRuntime instructions limit the agent to checking for the CLI, asking for explicit consent before installing, instructing interactive login (user runs `padel-tui auth login`), running search/book/match commands, and only performing user-impacting actions after explicit intent. The skill does not instruct the agent to read arbitrary system files or exfiltrate data. It does reference the default session file (~/.config/padel-tui/session.json) as the place where the CLI stores sessions, which is expected for a CLI that maintains sessions.
- Install Mechanism
- noteThis is an instruction-only skill (no automated install); INSTALLATION.md documents three user-approved install options: a Homebrew tap (philipp-eisen/tap), GitHub releases (download archive), or running from source (bun). Those are reasonable for a community CLI, but the Homebrew tap is a third-party tap and the prebuilt archive download requires trusting the GitHub release artifacts—users should verify release provenance/checksums. Running from source requires bun; the instructions correctly require explicit user approval before installing.
- Credentials
- okThe skill declares no required environment variables or credentials. It explicitly instructs interactive login and says not to ask users for email/password inline. The presence of a default session file (~/.config/padel-tui/session.json) is expected for a CLI that stores sessions; the skill does not instruct reading or exporting that file.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent presence, modify other skills, or ask for cross-skill credentials. Autonomous invocation remains enabled (platform default) but is not combined with other red flags.