Back to skill
Skillv1.0.1
ClawScan security
Venice Admin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 1:08 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, required environment variable, and install steps match its stated purpose (Venice account admin) and do not request unrelated privileges or hidden exfiltration.
- Guidance
- This skill appears coherent with its stated purpose, but take these precautions before installing: 1) Only use a genuine Admin API key when you explicitly need admin operations (do not use it for routine inference). 2) Verify the 'uv' brew formula comes from a trusted source before installing, since 'uv' will run the Python scripts and install dependencies. 3) Review the included scripts if you have any doubt — they are short and only call api.venice.ai endpoints and read VENICE_API_KEY. 4) Avoid committing your Admin key to source control and consider using an inference-only key for day-to-day tasks.
Review Dimensions
- Purpose & Capability
- okThe name/description (account balance, usage, API key management) aligns with the requested VENICE_API_KEY and with the three included scripts that call Venice API endpoints. Requiring an Admin API key is appropriate for the listed endpoints (/billing/balance, /billing/usage, /api_keys).
- Instruction Scope
- okSKILL.md instructs the agent to run the included Python scripts via 'uv run'. The scripts only read VENICE_API_KEY, call https://api.venice.ai/api/v1 endpoints, and optionally write user-specified output files. There are no instructions to read unrelated files, other env vars, or transmit data to third parties beyond the Venice API.
- Install Mechanism
- okInstall uses a brew formula 'uv' to provide the required runner binary. Brew installs are a standard, low-risk mechanism. The scripts rely on uv to satisfy PEP 723 inline dependencies (httpx), which is consistent with the runtime note in SKILL.md. As with any third-party formula, users should verify the 'uv' package origin before installing.
- Credentials
- okOnly a single env var (VENICE_API_KEY) is required and it is the appropriate credential for admin-level Venice API operations. No unrelated secrets, config paths, or multiple credential types are requested.
- Persistence & Privilege
- okThe skill is not force-included (always:false) and does not request elevated platform persistence. It does not modify other skills or system-wide settings; it simply runs CLI scripts when invoked.