Back to skill
Skillv1.0.0
ClawScan security
Buy Me a Pie · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 6:36 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, files, environment needs, and install steps are coherent with an unofficial Buy Me a Pie API client — it only asks for the account login and PIN and uses Python to call api.buymeapie.com.
- Guidance
- This skill appears to be a straightforward, unofficial API client: it needs your Buy Me a Pie login and PIN (used as HTTP Basic Auth) and will make requests to https://api.buymeapie.com. Before installing: verify you trust the skill publisher (source is listed as unknown), review the full scripts locally, and test in a safe environment; consider using a dedicated account or rotating your PIN if you later stop trusting the skill. The package installs Python via Homebrew if needed — ensure that installation method is acceptable for your environment. Finally, the provided code in the bundle implements expected API calls and does not request unrelated secrets or external endpoints.
Review Dimensions
- Purpose & Capability
- okName/description (manage Buy Me a Pie lists) aligns with the bundle: a small Python client + shell wrapper, API surface docs, and requests to api.buymeapie.com. Required env vars (BUYMEAPIE_LOGIN, BUYMEAPIE_PIN) and python3 are appropriate for HTTP Basic Auth API access.
- Instruction Scope
- okSKILL.md instructs the agent to run the shipped scripts and to use browser fallback only for signup/PIN/OAuth/print/visual checks. The instructions do not ask the agent to read unrelated files or exfiltrate data to unknown endpoints.
- Install Mechanism
- okInstall uses Homebrew to ensure python3 is available (formula: python). No remote, arbitrary code downloads or extract steps are present in the install spec; the bundle contains the source files to run.
- Credentials
- okOnly the login and PIN environment variables are required, which is proportionate for HTTP Basic Auth to the target API. No unrelated credentials or secret/config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated system presence or modify other skills. It runs as a normal, on-demand helper script.