ClawHub

Brazilian CEP using the ViaCEP API

v1.0.0

Looks up address data for a Brazilian CEP using the ViaCEP API.

1· 9·0 current·0 all-time
by@guilherme-funchal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: index.js calls the ViaCEP public API and returns address fields. Declared runtime (node + npm) and the dependency on axios are reasonable for an HTTP-based lookup.
Instruction Scope
SKILL.md limits behavior to CEP lookups, describes triggers and outputs, and does not instruct reading unrelated files or environment variables. The runtime code only reads the incoming message text and performs an HTTP GET to viacep.com.br.
Install Mechanism
This is effectively an instruction-only skill but includes code and package.json; installation is via npm (axios dependency). The SKILL.md 'install' block suggests installing axios via an npm installer entry and lists a 'bins' field for axios (axios is a library, not a CLI binary) — this is a minor metadata inconsistency but not a security concern. No downloads from untrusted URLs or archive extraction are present.
Credentials
No environment variables, credentials, or config paths are requested. The code does not access process.env or other secrets. The test runner monkeypatches module loading in local test mode only and does not introduce secret access.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide configuration. It uses normal autonomous invocation defaults; this is expected for a user-invocable lookup skill.
Assessment
This skill appears to do exactly what it says: it needs node/npm and the axios npm dependency to make outgoing HTTPS requests to the public ViaCEP API. Before installing, note: (1) installation will run npm install which downloads packages from the public registry; review package.json if you want to vet dependencies. (2) When invoked the skill will send the CEP (postal code) to viacep.com.br — if CEPs you send are considered private in your context, avoid sharing them. (3) The SKILL.md metadata has a small mismatch (it lists axios as a binary), but that is harmless. If you want extra assurance, run the included tests in mock mode (node test.js --mock) to verify local behavior without network calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk9797zjscnmqqymx1pyxs3sjx584d640

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📮 Clawdis
Binsnode, npm

Comments