Back to skill
Skillv1.0.0
ClawScan security
orbcafe-graph-detail-ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 12:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only UI helper for building ORBCAFE graph/detail/agent flows; its requested footprint (no installs, no env vars, no binaries) matches its stated purpose.
- Guidance
- This skill is an instruction-only UI helper and appears internally consistent. Before installing or using it, verify that: (1) any code you implement from its snippets persists LLM API keys and settings securely on the server side (do not expose keys in client logs or public debug panels), (2) any baseUrl used points to your organization's LLM endpoint (the recipe shows '/llm-api' as an example), and (3) you audit any real implementation that wires onSaveAll to storage to ensure keys/templates are saved atomically and not leaked. Because the skill is instruction-only, the real security posture depends on how you implement the saved settings and LLM integrations.
Review Dimensions
- Purpose & Capability
- okThe name/description (graph dialogs, detail pages, AI settings) aligns with the SKILL.md recipes and references. The skill does not request unrelated credentials or binaries, and all required behaviours are UI-focused and consistent with building ORBCAFE components.
- Instruction Scope
- okRuntime instructions are constrained: pick domain, load a minimal recipe, apply guardrails, and return a small code snippet + data model. The SKILL.md does not instruct reading system files, environment secrets, or sending data to unexpected external endpoints.
- Install Mechanism
- okNo install spec and no code files that would be written/executed — instruction-only skills present the lowest install risk. Nothing is downloaded or extracted.
- Credentials
- noteThe skill requests no environment variables or credentials (proportionate). Note: the recipes and CCustomizeAgent examples mention an apiKey/baseUrl for LLM integration; that is appropriate for a UI settings flow, but any implementation that persists or transmits API keys should handle them securely (server-side storage, not client logs).
- Persistence & Privilege
- okalways is false and the skill is user-invocable only. It does not request persistent system-wide configuration changes or other skills' credentials.