Skillv1.0.0

ClawScan security

QuorumAI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 2, 2026, 12:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code-free instructions, required tools, and single API key align with its stated purpose of calling quorumai.io; nothing requested is disproportionate or unrelated to that task.
Guidance: This skill is internally consistent: it simply sends the user's question and the provided API key to quorumai.io and returns the JSON response. Before installing, consider: (1) using the skill will transmit user prompts to a third party — avoid sending highly sensitive secrets or personal data; (2) treat QUORUMAI_API_KEY as a secret (do not paste it into chat) and only grant it if you trust quorumai.io; (3) verify the quorumai.io domain and its privacy/tos if you care about data retention; (4) rotate/revoke the API key if you stop using the skill or suspect misuse.

Purpose & Capability: okName/description (multi-model synthesis via QuorumAI) matches the runtime instructions and required items: a single QUORUMAI_API_KEY and curl are all that are needed to call the external QuorumAI API.
Instruction Scope: noteSKILL.md only instructs posting the user's question to https://quorumai.io using curl and presenting the returned JSON. This is coherent, but it does mean user prompts are transmitted to an external service; the doc does not attempt to read other files, environment variables, or system state.
Install Mechanism: okInstruction-only skill with no install spec and only a curl requirement — nothing is downloaded or written to disk by an installer.
Credentials: okOnly one environment variable (QUORUMAI_API_KEY) is required and is necessary for the Authorization header. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent system presence. There is no indication it modifies other skills or system-wide settings.