Skillv1.0.1

ClawScan security

uf2.net URL Shortener · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 5:21 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with a uf2.net CLI wrapper and legitimately needs an API key, but there are small metadata inconsistencies and a modest scripting vulnerability you should be aware of before installing.
Guidance: This skill appears to do what it says: a small CLI wrapper around uf2.net. Before installing: (1) be aware it requires your uf2.net API key (UF2_API_KEY) — prefer adding that to a secure secret store rather than plaintext shell profiles, (2) the package metadata does not list the required env var (UF2_API_KEY) although the SKILL.md and script require it — treat that as a bookkeeping error and confirm your environment handling, and (3) the included script builds JSON bodies by naive string concatenation (no escaping). That can break on inputs containing quotes/newlines and could cause malformed requests; if you accept untrusted input into the script, consider improving it to safely escape JSON (for example using jq --arg or printf with proper escaping). If you rely on this skill in an automated agent, ensure the agent's secret storage and policy enforce secure handling of UF2_API_KEY and review the script changes above.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (uf2.net URL shortener) match the provided SKILL.md, API reference, and scripts: it performs link create/list/get/delete and requires an API key. However, registry metadata at the top of the package states 'Required env vars: none' and 'Primary credential: none' while SKILL.md and scripts explicitly require UF2_API_KEY — this mismatch should be corrected.
Instruction Scope: okRuntime instructions are narrowly scoped to interacting with the uf2.net API via curl and the included scripts. The SKILL.md does not instruct the agent to read unrelated files or exfiltrate data to unexpected endpoints; it only references storing/using the UF2_API_KEY and using the official uf2.net endpoints.
Install Mechanism: okThis is an instruction-only skill with an included shell script; there is no install spec that downloads or executes remote archives or packages. No high-risk install URLs or extraction steps are present.
Credentials: concernThe script and SKILL.md require a single API credential (UF2_API_KEY), which is appropriate for the stated functionality. The concern is the package-level metadata does not declare this required environment variable; that inconsistency could cause automation or permission checks to miss that a secret is needed. Also the SKILL.md suggests adding the API key to shell profile as one persistence option — users should prefer secure stores.
Persistence & Privilege: okThe skill does not request always:true or elevated/system-wide privileges and does not modify other skills or system-wide settings. It runs as an on-demand CLI wrapper using environment-provided credentials.