Back to skill
Skillv1.0.0
ClawScan security
AlphaMountain API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 9:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its description: it only needs an alphaMountain API key and issues POSTs to api.alphamountain.ai to retrieve domain intelligence.
- Guidance
- This skill is internally consistent, but before installing: (1) verify you trust alphaMountain.ai (the registry metadata lacks a homepage/source), (2) do not send private/internal hostnames or secrets—the service will receive any hostname you query, including raw HTML/screenshots returned by some sections, (3) protect and rotate the ALPHAMOUNTAIN_API_KEY like any API secret, and (4) check billing/quota and privacy terms for the provider to ensure acceptable handling of submitted data.
Review Dimensions
- Purpose & Capability
- okName/description = domain threat scoring and intelligence; declared primaryEnv = ALPHAMOUNTAIN_API_KEY and SKILL.md uses that key to call https://api.alphamountain.ai/intelligence/hostname. Requested credential aligns with the stated purpose.
- Instruction Scope
- okSKILL.md contains explicit curl POST examples and section selection guidance limited to the alphaMountain API. It does not instruct reading other environment variables, files, or transmittal to unrelated endpoints. Note: some sections (scan_dom, scan_screenshot, pdns, whois) will return raw HTML, screenshots, or historical DNS data — expected for this use but could include sensitive content if you submit internal hostnames.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files, so nothing is written to disk or downloaded during install.
- Credentials
- okOnly a single API key (ALPHAMOUNTAIN_API_KEY) is required and used directly by the documented calls. No unrelated credentials or high-privilege env vars are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system changes or access to other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges here.