Back to skill
Skillv1.1.0
ClawScan security
Axiom Distributed Science · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 6:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are coherent with its stated purpose: it only documents using curl to query an external Axiom JSON API and to submit plain-text suggestions, and it does not ask for extra credentials or install anything.
- Guidance
- This appears internally consistent and safe to inspect, but keep these practical cautions in mind: (1) When asking the agent to submit a suggestion, any text you provide will be posted to an external site — avoid including sensitive or identifying information. (2) The API exposes URLs to experiment scripts; do not automatically execute downloaded scripts—treat them as untrusted code. (3) Verify the homepage (https://axiom.heliex.net) yourself if you need assurance about the project's legitimacy. (4) If you plan to have the agent fetch large amounts of data or fetch and run code, restrict it to read-only review only and avoid execution. If you want a deeper check, provide the homepage content or more metadata so I can verify origin and content authenticity.
Review Dimensions
- Purpose & Capability
- okName/description describe a read/query interface to the Axiom distributed science network; the skill only requires curl and documents public HTTP endpoints — this is proportionate and expected.
- Instruction Scope
- okSKILL.md instructs the agent to perform HTTP GETs and an optional POST to the documented Axiom API endpoints. It does not direct the agent to read local files, access unrelated environment variables, or execute fetched experiment scripts. The only potential privacy implication is that user-provided suggestion text will be sent to an external service when using the POST endpoint.
- Install Mechanism
- okNo install spec or code is provided (instruction-only), so nothing gets written to disk or downloaded by an installer. Required binary is only curl, which matches the documented usage.
- Credentials
- okThe skill requests no environment variables, credentials, or configuration paths — consistent with a public-read API client and a simple suggestion POST endpoint.
- Persistence & Privilege
- okalways is false and the skill is user-invocable only; it does not request persistent system presence or elevated privileges.