Skillv1.0.0

ClawScan security

FollowinOpenAPI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 1:45 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is an instruction-only reference for the Followin OpenAPI and its curl examples; its requirements and instructions match the stated purpose and nothing appears disproportionate.
Guidance: This skill is a documentation helper and appears coherent. Before installing, verify you intend to call api.followin.io and that the service is legitimate. If you obtain an API key to use with Followin, prefer sending it in an Authorization header rather than as a query parameter (query parameters can be logged or leaked via referer headers). Installing curl via Homebrew is harmless on most systems but may be unnecessary if curl is already present. As always, never share your API keys publicly and confirm TLS (https) is used when calling the API.

Review Dimensions

Purpose & Capability: okName and description state it documents Followin OpenAPI endpoints; the SKILL.md contains only endpoint docs, parameters, responses, and curl examples. Requiring curl and providing a brew install for curl is coherent with the stated purpose (curl examples). No unrelated binaries, env vars, or credentials are requested.
Instruction Scope: okThe runtime instructions are limited to API documentation and example requests to https://api.followin.io. They do not direct the agent to read local files, environment variables, other services, or transmit data to unexpected endpoints. The examples explicitly show passing an API key via query or Authorization header, which aligns with the documented authentication method.
Install Mechanism: noteInstall spec only offers a brew formula for curl. This is reasonable, but installing curl via brew may be redundant on many systems (curl is commonly present). The install source (Homebrew) is a standard package manager; no arbitrary downloads or archive extraction are used.
Credentials: okThe skill declares no required environment variables or credentials. The documentation references an API key as required by the Followin API, which is appropriate and limited in scope. No unrelated secrets or config paths are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent system or agent-wide privileges. There are no instructions to modify other skills or system-wide configuration.