Back to skill
Skillv1.0.2
ClawScan security
HoneyDew · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 10:20 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose (managing a local HoneyDew Kanban instance) and does not request credentials or install code; only minor documentation mismatches were found.
- Guidance
- This skill appears to be what it claims: an instruction-set for interacting with a local HoneyDew REST API. Before installing or using it: 1) Confirm you actually run HoneyDew locally (the skill assumes a local service at http://localhost:8000 and a UI at http://localhost:5173). 2) Inspect any start/install scripts (./start.sh, ./install.sh) in the HoneyDew repo before running them. 3) Be cautious not to point SMARTIFY_API_URL at public or untrusted endpoints if you lack authentication — the app is documented as unauthenticated and exposing it could leak task data. 4) Note the minor metadata mismatch: SKILL.md references SMARTIFY_API_URL/SMARTIFY_DOCS_URL even though the registry lists no env vars; consider updating metadata or confirming expected env usage. 5) If you need stronger guarantees, review the linked GitHub repo code (start scripts, server defaults) to confirm there are no unexpected network calls or credential handling.
Review Dimensions
- Purpose & Capability
- okName/description align with the instructions: the skill documents REST endpoints for a locally hosted HoneyDew app and helper Python tooling. The actions the skill performs (create/move/update cards, labels, boards) match the stated purpose.
- Instruction Scope
- noteSKILL.md stays within the scope of interacting with a local HoneyDew API and optional local repo/tools. It asks the agent to call local HTTP endpoints, run ./start.sh if the API isn't reachable, and optionally use tools/kanban_tools.py if the repo is present. Minor issues: SKILL.md references environment overrides (SMARTIFY_API_URL, SMARTIFY_DOCS_URL) and a local UI at http://localhost:5173, and includes a small quoting typo for the docs URL. The instructions do not direct the agent to read unrelated system files or to transmit data to external endpoints beyond the configured API.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files packaged into the skill — lowest install risk. The README references running install/start scripts in the HoneyDew repo, but those are part of the application the user would run locally, not an installer bundled with the skill.
- Credentials
- noteThe registry lists no required environment variables or credentials (and no secrets), which is appropriate for a local, unauthenticated app. However SKILL.md documents optional env overrides (SMARTIFY_API_URL and SMARTIFY_DOCS_URL) that are not declared in the metadata — a minor mismatch. No sensitive credentials are requested.
- Persistence & Privilege
- okThe skill does not request always:true, persistent system config paths, or cross-skill configuration. It uses normal autonomous invocation defaults (disable-model-invocation=false) which is expected for a functional skill.