Skillv1.0.4

ClawScan security

Biver Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 12:36 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only integration for the Biver Landing Page Builder API and its declared requirements (an API key and optional base URL) are coherent with the described functionality, though there is a minor metadata inconsistency between the registry record and the SKILL.md.
Guidance: This skill appears to do what it claims: it needs a BIVER_API_KEY to call the Biver API and provides endpoint and header examples. Before installing or supplying your live key: (1) prefer using a bvr_test_ key first and grant minimal scopes; (2) manually inspect the GitHub repository referenced in SKILL.md before cloning or running any code; (3) verify the repository and author identity (the registry metadata and SKILL.md disagree about whether credentials are required — assume the SKILL.md is authoritative and that you must supply BIVER_API_KEY); (4) do not paste a bvr_live_ key until you trust the repo, and rotate keys after use. If you see any install scripts in the repo that download or execute remote archives, or if the repo requests other unrelated secrets, treat the skill as suspicious and do not proceed.

Purpose & Capability: okName and description match the SKILL.md instructions: creating/updating/deleting pages, domains, assets, workspace settings, etc. The actions described legitimately require an API key and an optional base URL.
Instruction Scope: okSKILL.md contains API endpoints, authentication header examples, and installation guidance. It does not instruct the agent to read unrelated local files, harvest other credentials, or transmit data to unexpected endpoints. The instructions explicitly advise reviewing source code and using test keys.
Install Mechanism: okThere is no install spec and no code files in the packaged skill (instruction-only). Manual install instructions recommend inspecting the GitHub repo first. This is low-risk compared with remote binary downloads.
Credentials: noteThe SKILL.md declares a single required credential (BIVER_API_KEY) and an optional BIVER_API_BASE_URL, which are proportionate to the skill. However, the registry summary at the top of the submission incorrectly lists 'Required env vars: none' and 'Primary credential: none'—an inconsistency you should verify before providing credentials.
Persistence & Privilege: okSkill is not always-enabled, is user-invocable, and allows model invocation (normal). It does not request persistent system-level privileges or attempt to modify other skills' configurations in the provided instructions.