Back to skill
Skillv2.6.1
ClawScan security
statsfm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 5:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (querying the public stats.fm API and optionally a user's public stats) and do not request unexplained credentials or hidden endpoints.
- Guidance
- This skill appears to be a straightforward stats.fm client: it will make unauthenticated HTTPS requests to api.stats.fm and, if you provide a username, fetch that user's public/personal stats. Before installing, confirm your environment can run Python 3.6+ (the package contains a Python script) and be aware that providing a stats.fm username or storing it in memory/ENV (STATSFM_USER) exposes your public listening history to the skill. The metadata omits declaring the optional STATSFM_USER env var and does not list Python as a required binary—make sure the platform will run the script as intended. If you want to avoid any personal-data calls, do not supply a username.
Review Dimensions
- Purpose & Capability
- okName/description (stats.fm music data) align with the included Python client and the referenced stats.fm API endpoints. The behavior (fetching user and public charts/streams data) is consistent with the stated purpose.
- Instruction Scope
- okSKILL.md instructs the agent to call multiple stats.fm endpoints and to request a username for personal queries. It does not direct reading unrelated user files or exfiltrating data to third-party endpoints. The guidance to check agent memory for a stats.fm username is expected for a personalized-data skill.
- Install Mechanism
- noteThere is no install spec (instruction-only), but the package includes a Python script (scripts/statsfm.py). The skill claims the script uses only the stdlib (no extra packages). The registry metadata does not declare a required Python binary; ensure the host can run Python 3.6+ before invoking the script.
- Credentials
- okNo secrets or credentials are required. The code optionally reads STATSFM_USER from the environment (DEFAULT_USER) to default the username — this is proportional to the feature. No other sensitive env vars or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and uses default autonomous invocation settings. It does not request system-wide changes or access to other skills' configs.