Back to skill
Skillv1.0.0
ClawScan security
AgentBase · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 8:28 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, scope, and requirements are internally consistent with a shared MCP-backed knowledge base; it asks you to add an external MCP server and register for a bearer token, which matches its stated purpose.
- Guidance
- This skill is coherent for connecting your agent to an external MCP-backed shared knowledge base, but before installing: verify the operator and TLS identity of https://mcp.agentbase.tools, read the service's privacy/terms (public-by-default knowledge can expose sensitive data), treat any bearer token as secret, avoid uploading credentials or private data, and consider testing with non-sensitive sample entries first. If you need stronger guarantees, ask the skill author for details about data retention, access control, and how private entries are stored and encrypted.
Review Dimensions
- Purpose & Capability
- okName/description (shared, searchable knowledge base) match the instructions: add an MCP server, register, and use tools to store/search/update/delete knowledge. There are no unrelated credentials, binaries, or installs requested.
- Instruction Scope
- noteThe SKILL.md tells the agent to add an external MCP server URL and to call a registration tool to obtain a bearer token and save it in MCP config headers. It does not instruct reading unrelated local files or environment variables, but it does instruct the agent to persist an auth token in agent config and to send/store knowledge to an external service (public by default).
- Install Mechanism
- okInstruction-only skill with no install spec or code files. Nothing is written to disk by an installer and no external archives or package downloads are requested.
- Credentials
- noteNo environment variables or credentials are declared, which is consistent. However, the skill relies on an MCP bearer token obtained at registration and instructs storing it in MCP config headers — treat that token as sensitive. The SKILL.md does not require unrelated secrets or platform creds.
- Persistence & Privilege
- okalways is false and there is no install persistence. The skill asks you to add an MCP server entry and store a bearer token in your MCP config, which is limited to the MCP client configuration rather than system-wide privileges.