Back to skill
Skillv0.3.0
ClawScan security
Snooker Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 8:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and declared requirements line up with its stated purpose of querying api.snooker.org; it only needs a Snooker API key and will store that key in a local config file.
- Guidance
- This skill appears coherent for fetching snooker data, but before installing: 1) you will need a SNOOKER_API_KEY and the script will store it in plaintext at ~/.nanobot/workspace/snooker/config.json — consider file permissions or using environment variables instead; 2) ensure python3 is available and run the script with python3 snooker.py if your system doesn't honor the provided shebang; 3) the tool logs URLs it fetches to stdout (not the secret), and it will send your API key to api.snooker.org in the X-Requested-By header (this is required for the API). If any of these behaviors are unacceptable (plaintext key on disk, file creation in your home), do not install or run the skill.
Review Dimensions
- Purpose & Capability
- okName/description ask for snooker data from api.snooker.org and the code only calls api.snooker.org endpoints, so the requested SNOOKER_API_KEY and python3 binary are appropriate and expected.
- Instruction Scope
- noteSKILL.md instructs invoking the included snooker.py script. The script will read SNOOKER_API_KEY from the environment (or a local config file) and performs only API requests to api.snooker.org. Note: the setup command writes a plaintext config.json under ~/.nanobot/workspace/snooker/, and the script prints fetched URLs to stdout (logging).
- Install Mechanism
- okNo install spec — it's instruction-only with an included Python script. Nothing is downloaded or executed from external, untrusted URLs.
- Credentials
- okOnly the SNOOKER_API_KEY credential is declared and used. The script sends that key in an X-Requested-By header to api.snooker.org and otherwise does not request unrelated credentials or env vars.
- Persistence & Privilege
- notealways:false and normal autonomous invocation. The script creates and writes its own config file at ~/.nanobot/workspace/snooker/config.json to persist the API key; it does not modify other skills or system-wide settings.