Skillv1.0.0

ClawScan security

Rate Limit Validator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 1:13 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions match its stated purpose of testing HTTP rate limiting, with only minor inconsistencies and operational caveats to be aware of.
Guidance: This skill is coherent and lightweight, but review these practical points before using it: - Ensure you have explicit permission to run burst tests against the target (testing third-party services without authorization can be abusive or illegal). - The script declares curl as required but also calls bash, seq, grep, and rm; make sure those are available on the host or add them to the declared dependencies. - The provided test is sequential (not concurrent); depending on the gateway's throttling rules you may need to run concurrent requests to trigger rate limits — but increasing concurrency or request count can cause downtime. Start with low counts and increase cautiously. - The header check performs a separate HEAD request; some services only surface rate-limit headers on actual application requests or per-authenticated user, so interpret results accordingly. - Consider running tests from the same client/IP and authentication context the real clients use, as rate limits are often per-IP, per-user, or per-API-key. If you want higher assurance about safety or intended behavior, ask the skill publisher to: (1) list all binaries the script relies on, (2) add an explicit concurrency option, and (3) include a clear authorization/ethics notice in SKILL.md.

Review Dimensions

Purpose & Capability: okName and description match the runtime instructions: the SKILL.md provides a simple curl-based script to send a burst of GETs and check for 429 and rate-limit headers. The requested binary (curl) is appropriate for the stated task.
Instruction Scope: noteThe runtime script sends repeated requests to a target and checks headers — this stays within the stated purpose. However the script assumes additional utilities (bash, seq, grep, rm) that are not listed in requires.bins. The SKILL.md explicitly notes this is for testing your own deployments, but the instructions do not enforce or verify authorization — an operator must ensure they have permission to test a remote service to avoid abuse/DoS.
Install Mechanism: okInstruction-only skill with no install steps or external downloads. This minimizes supply-chain risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The level of requested access is proportionate to the stated purpose.
Persistence & Privilege: okThe skill does not request permanent presence (always: false) or modify other skills or system configs. It runs ad-hoc tests as expected.