Back to skill
Skillv1.0.2
ClawScan security
Maxun · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 10, 2026, 5:34 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested binaries, environment variable, and runtime behavior align with its stated purpose (listing/running Maxun scraping robots); nothing here appears to be trying to do unrelated or hidden work.
- Guidance
- This skill appears to do exactly what it claims: call the Maxun API to list and run scraping robots using your MAXUN_API_KEY. Before installing, confirm you trust the Maxun service and use a least-privilege API key. Be aware the included helper will source a local .env file if present (so don't keep unrelated secrets in that file for the working directory) and it sends your API key in an x-api-key header to app.maxun.dev (or a custom MAXUN_BASE_URL if set). If you need to limit exposure, create an API key scoped only for the operations the skill requires and avoid placing other sensitive credentials in the same .env or working directory.
Review Dimensions
- Purpose & Capability
- okName/description, required binary list (bash, curl, optional python3), and the single required env var (MAXUN_API_KEY) match the declared purpose of calling the Maxun SDK/API to list/run robots.
- Instruction Scope
- noteThe SKILL.md instructs the agent to call exec with exact commands like 'maxun list' that will run the included shell helper; the helper makes authenticated HTTPS API calls to app.maxun.dev and prints results. Two minor points: the helper will source a local .env file if present (it can therefore read local environment files), and the script references an optional MAXUN_BASE_URL (not listed in requires.env). These are functional conveniences but worth noting because they allow the script to pick up local secrets/config from .env.
- Install Mechanism
- okNo external install or download is performed by the skill (instruction-only with an included script). No network downloads or archive extraction are present in the install metadata.
- Credentials
- okThe skill asks only for a single service-specific credential (MAXUN_API_KEY) which is appropriate for calling the Maxun API. It does read an optional MAXUN_BASE_URL and will source a local .env if present; these are reasonable but callers should be aware the script will read .env files in its working directory.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. Autonomous invocation is allowed (platform default) but not combined with any broad credential access beyond the single API key.