Skillv1.0.0

ClawScan security

Playtomic - Book courts using padel-tui · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 8:29 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only helper for using the padel-tui CLI to book Playtomic courts; its requested actions and install instructions align with that purpose and do not ask for unrelated credentials or privileged access.
Guidance: This skill is coherent and limited to driving the padel-tui CLI, but follow these precautions before installing or using it: 1) Only run install steps after you explicitly approve them. 2) Prefer Homebrew or GitHub releases from the official repo; verify release checksums/signatures if available. 3) If running from source, be aware 'bun install' will fetch remote packages—inspect repository/package manifests if you are concerned. 4) Never paste your password into chat; perform 'padel-tui auth login' interactively in your terminal as instructed and confirm completion manually. 5) Confirm any booking/cancel operations before they are executed since they have real user impact.

Review Dimensions

Purpose & Capability: okThe name/description describe Playtomic booking via padel-tui and all runtime instructions focus on running that CLI (search, book, matches, match-cancel). There are no unrelated env vars, binaries, or config paths requested.
Instruction Scope: okSKILL.md confines actions to verifying/using the padel-tui binary, prompting the user to authenticate interactively, and performing explicit booking/cancel operations only after user confirmation. It does not instruct reading unrelated system files or exfiltrating data. It documents the default session file (~/.config/padel-tui/session.json) which is expected for a CLI that stores session state.
Install Mechanism: noteThis is instruction-only (no installer executed automatically). Installation guidance references reasonable sources: Homebrew tap (philipp-eisen/tap), GitHub releases (prebuilt tarball), or running from source (bun install). These are typical but the 'run from source' path implies fetching packages (bun/npm) and the tarball path requires user care to verify release integrity. The skill correctly requires explicit user approval before installing.
Credentials: okNo environment variables or external credentials are requested by the skill. The only config artifact mentioned is the CLI session file (~/.config/padel-tui/session.json), which is appropriate for a CLI that maintains login state. The SKILL.md explicitly prohibits asking the user for credentials and requires interactive auth.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and cannot modify other skills or system-wide configs. It only instructs use of a user-local session file for CLI auth, which is normal for such tools.