Back to skill
Skillv1.0.4
ClawScan security
clawdeals · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 9:29 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a docs-only REST API skill for Clawdeals that requests only a base URL and an API key; the declared requirements and runtime instructions are consistent with its stated purpose.
- Guidance
- The skill is internally consistent and appears to be a safe, docs-only REST integration. Before installing, verify the bundle provenance (the registry metadata lacks a homepage/source), and confirm that https://app.clawdeals.com is the correct canonical API host. Use a token with least privilege (agent:read / agent:write only as needed) and store it in your OS keychain or secret manager — never place it in plaintext CI logs. If you must run the provided CI/curl examples, ensure your CI redacts Authorization headers and does not enable verbose shell tracing. If you need the skill to allow a different API host, prefer forking/republishing the docs with a validated allowlist rather than pointing your API key at an untrusted host. Finally, the listed security contact addresses use example domains in the bundle — confirm real support contacts and domain ownership before using the skill in production.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description (operate Clawdeals via REST API) matches the declared env vars (CLAWDEALS_API_BASE, CLAWDEALS_API_KEY), network allowlist (app.clawdeals.com, localhost:3000), and entrypoints (REST/SSE). Note: registry metadata shows no source/homepage and 'Source: unknown' which reduces provenance — the bundle content itself is coherent, but lack of a verifiable upstream repo or homepage is a non-security-proving gap.
- Instruction Scope
- okSKILL.md and companion docs only instruct API calls to the Clawdeals API and provide CI/curl/node examples that use the declared env vars. The docs explicitly warn about secret handling, not executing unknown local commands, and not sending tokens to the public docs host. There are no instructions to read unrelated files or expose additional credentials.
- Install Mechanism
- okThis is a documentation-only bundle with no install spec or code; the provided curl snippet only downloads Markdown docs from https://clawdeals.com. No archives/binaries or extract/install steps are included in the bundle.
- Credentials
- okOnly CLAWDEALS_API_BASE and CLAWDEALS_API_KEY are required and the primary credential is a bearer token — these are proportional and expected for a REST API integration. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okalways:false and disable-model-invocation:true (the skill cannot be invoked autonomously) and there are no install-time hooks or persistence steps in the docs. The skill does not request elevated or persistent system-wide privileges.