Skillv1.0.16

ClawScan security

Signalgrid Activity · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 6:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and behavior match its stated purpose (sending live/ongoing notifications via Signalgrid); the code and instructions are coherent and proportionate, but there are a couple of non-malicious coding bugs that can break functionality and should be fixed before use.
Guidance: This skill appears to be what it claims: a small Node script that POSTs multipart form data to api.signalgrid.co using SIGNALGRID_CLIENT_KEY and SIGNALGRID_CHANNEL. Before installing or using it, consider the following: - Fix the two clear bugs in signalgrid-activity.js before relying on it in production: change the token variable to read args.token (update_token = args.token || "") so update/end flows work as documented, and define isCritical (e.g., const isCritical = finalType === 'crit') or remove it to avoid a ReferenceError that causes the script to exit non-zero even after a successful request. - Test start/update/end flows locally after setting SIGNALGRID_CLIENT_KEY and SIGNALGRID_CHANNEL to confirm token propagation and correct exit behavior. - Keep SIGNALGRID_CLIENT_KEY secret — treat it like any API key. Confirm the key's scope/permissions with Signalgrid and rotate/revoke if compromised. - The skill posts to api.signalgrid.co; if you require stricter network controls, vet that domain and the Signalgrid service first. - Because the skill runs arbitrary Node code, only install from sources you trust; the current package is small and contains no obfuscated or external downloads, but always review updates for changes. If you want, I can produce a patched version of signalgrid-activity.js with the token and isCritical fixes and optional improvements (better exit codes, response handling, and safer logging).

Review Dimensions

Purpose & Capability: okName/description, required binaries (node), and required env vars (SIGNALGRID_CLIENT_KEY, SIGNALGRID_CHANNEL) align with a notification-sending skill. The package and API host (api.signalgrid.co) are consistent with the described service.
Instruction Scope: concernSKILL.md instructs running the included node script with parameters (including --token). The bundled script largely implements that behavior, but it contains bugs that break intended behavior: (1) the script reads args.update_token rather than args.token, so a provided --token won't be transmitted; (2) console.log references an undefined variable (isCritical), which will throw and cause the process to exit with error after the request completes. These are functional/incoherence issues in the runtime instructions vs. implementation.
Install Mechanism: okNo install spec (instruction-only install via clawdhub). The skill contains a small Node script and package.json; there are no external downloads or obscure URLs. No extract or remote code fetch during install.
Credentials: okOnly two service-specific env vars are required (client key and channel). These are appropriate and proportional for a notification API integration. The script only reads those two env vars.
Persistence & Privilege: okalways:false and no install-time changes are requested. The skill does not request persistent system privileges or modify other skills/configs.