Back to skill
Skillv1.0.2
ClawScan security
PulseMon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 7:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only PulseMon API client that only requires a PulseMon API key and uses the documented endpoints.
- Guidance
- This skill appears coherent and low-risk: it will make API calls to https://pulsemon.dev and requires your PulseMon API key. Before installing, verify that pulsemon.dev is the legitimate service you intend to use and that the API key can be revoked if needed. Store the key with least privilege, and be aware the agent will use that key to list/create/update/delete monitors (standard for a monitoring client). Because this is instruction-only (no install), no code will be written to disk by the skill itself; still monitor network activity and only grant the API key to skills you trust.
Review Dimensions
- Purpose & Capability
- okName/description (monitor cron jobs/background tasks) aligns with required env var (PULSEMON_API_KEY) and the API endpoints described. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md only describes calling pulsemon.dev API endpoints, constructing requests, and formatting responses. It does not instruct reading unrelated files, accessing other environment variables, or sending data to unexpected third-party endpoints.
- Install Mechanism
- okNo install spec or code files are included (instruction-only), so nothing will be written to disk or installed during skill use.
- Credentials
- okOnly one environment variable is required (PULSEMON_API_KEY), which is appropriate for an API client that authenticates to pulsemon.dev.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated persistence or cross-skill/system configuration. Autonomous invocation is allowed but that is the platform default.