Back to skill
Skillv1.0.6
ClawScan security
neuropay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required API key, and documented endpoints are consistent with a NeuroPay API integration; there are only minor documentation/metadata inconsistencies to clarify before trusting it with credentials.
- Guidance
- This skill appears coherent for interacting with NeuroPay and only requires your NeuroPay API key. Before installing: 1) Verify the publisher/source (there's no homepage and the source is 'unknown'); prefer skills from an official NeuroPay or trusted publisher. 2) Confirm how the agent will obtain/store the key — SKILL.md says to use NEUROPAY_API_KEY and never persist or log it; ensure the agent platform respects that. 3) Note the metadata inconsistency (registry said no env var required while SKILL.yaml requires NEUROPAY_API_KEY) and the inconsistent <API_KEY> placeholder in examples — ask the author to clarify. 4) Test in a sandbox account or with a scoped API key with limited permissions first. 5) Never provide other unrelated credentials; only supply the NeuroPay API key if you trust the service and the skill's publisher.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md content: cURL examples and endpoints target neuropay.fr and cover bots, services, orders, profiles, and reviews as advertised. No unrelated services, binaries, or capabilities are requested.
- Instruction Scope
- noteSKILL.md stays within scope: it describes authenticated API calls, uses an environment variable, and provides concrete cURL examples. Minor issues: the examples sometimes use the placeholder <API_KEY> rather than the declared NEUROPAY_API_KEY name, and the file emphasizes 'never store the key in files' while still instructing the agent to prompt the user if the env var is missing (this is reasonable but requires careful implementation). No instructions ask the agent to read unrelated files or contact endpoints outside neuropay.fr.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk install model. Nothing is downloaded or written by an installer.
- Credentials
- noteThe only sensitive item needed is an API key (NEUROPAY_API_KEY), which is proportionate to the described API interactions. However registry metadata listed 'no required env vars' while SKILL.yaml declares NEUROPAY_API_KEY as required — this mismatch should be resolved. Examples also inconsistently refer to <API_KEY> vs the NEUROPAY_API_KEY name.
- Persistence & Privilege
- okalways is false and the skill does not request any persistent system privileges or modify other skills/config. No autonomous elevation of privilege beyond normal agent invocation.