Skillv1.0.0

ClawScan security

Prefy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 11:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions align with a multi-feature Prefy integration, but the SKILL.md expects API keys (Prefy API key, Supabase JWT, possibly Stripe) while the skill metadata declares no required credentials — this mismatch and the presence of high-privilege operations (remote shell commands, phone calls, payment checkout) are concerning.
Guidance: The skill appears to document genuine Prefy API endpoints, but the metadata fails to declare the secret keys the SKILL.md clearly expects. Before installing or enabling this skill: 1) Ask the author to explicitly list required environment variables (e.g., PREFY_API_KEY, SUPABASE_JWT, any Stripe keys) in the skill manifest. 2) Only provide the minimum-scoped credentials necessary (use per-skill API keys or short-lived tokens if possible). 3) Be cautious about granting server-agent JWTs or payment credentials — these enable remote shell commands and creating payment checkouts. 4) Verify the official Prefy documentation and TLS endpoints (https://prefy.com/docs) and confirm the skill's source/maintainer identity. 5) If you must test, do so in an isolated account or sandbox environment with limited privileges. If the author cannot justify the undeclared credentials, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernThe skill claims to connect to the Prefy platform (chat, search, images, servers, AutoCall). The SKILL.md shows it needs a Prefy API key (PREFY_API_KEY / pc_...), a Supabase JWT for server/agent APIs, and implies integration with Stripe and third-party audio providers. However, the registry metadata lists no required environment variables or primary credential. Declaring no credentials is inconsistent with the documented usage and credential patterns in SKILL.md.
Instruction Scope: noteSKILL.md provides concrete API endpoints and sample payloads and stays within the described Prefy capabilities. It does, however, document server management 'agent commands' that include 'shell <cmd>' (remote shell execution on provisioned servers) and creating Stripe checkouts, which are high-privilege actions. The instructions do not ask the agent to read local files or unrelated system state, but they do enable potentially dangerous remote operations if invoked with credentials.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be written to disk or downloaded at install time. That minimizes install-time risk.
Credentials: concernThe SKILL.md expects secret credentials (Prefy API key, Supabase JWT) and hints at Stripe usage and third-party audio services, but the skill metadata lists none. Requiring multiple secrets for different subsystems (API, auth for server agents, payment) is plausible for the described functionality but must be explicitly declared; the omission is a proportionality and transparency issue. Any required tokens would grant significant access (API calls, server control, payment flow).
Persistence & Privilege: okThe skill is not marked always:true and is user-invocable with normal autonomous invocation settings. It does not request persistent presence or modifications to other skills. That privilege level is typical for an integration skill.