Back to skill
Skillv1.0.0
ClawScan security
Skylv Api Status Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 5:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is coherent with its stated purpose (API health checks); it contains no unexpected credential requests or installs, but it assumes a PowerShell runtime and uses a placeholder URL without guidance to request the real endpoint.
- Guidance
- This skill appears to do only what it claims (basic HTTP health checks) and does not request credentials or install code. Before enabling: ensure the agent environment can run PowerShell (Invoke-WebRequest) or revise the instructions to be cross-platform; confirm the skill will be given the real API endpoint (not the placeholder api.example.com); verify how it should handle authenticated endpoints; and be aware that running the check will make outbound network requests (these requests may be logged by your network or the target). If you need checks on authenticated or non-PowerShell environments, request changes to the SKILL.md first.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md shows how to check an endpoint's status and response time thresholds. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- noteInstructions are narrowly scoped to performing an HTTP health check and classifying results. However, the SKILL.md uses a PowerShell command (Invoke-WebRequest) and a hardcoded placeholder URL (https://api.example.com/health) but does not instruct the agent to prompt for or accept the real target endpoint or to report/store results. It also does not describe how to handle authentication if the real API requires it.
- Install Mechanism
- noteNo install spec (instruction-only), which is lowest-risk. But the runtime instructions assume PowerShell is available; the skill does not declare that dependency, so it may fail or behave differently on non-Windows shells.
- Credentials
- okThe skill requests no environment variables, secrets, or config paths, which is proportionate for a simple API checker.
- Persistence & Privilege
- okalways is false and the skill has no install actions or persistent configuration. It does not request elevated or cross-skill privileges.