ClawHub
Back to skill
v1.1.0

Servicenow Docs

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:51 AM.

Analysis

This appears to be a benign ServiceNow documentation lookup skill; the main things to notice are that it sends queries to ServiceNow and uses a version-ranged npm dependency.

GuidanceThis skill looks appropriate for ServiceNow documentation lookup. Before installing, be comfortable with sending documentation search terms to ServiceNow endpoints, and avoid entering confidential data into queries. For stricter supply-chain hygiene, prefer a version with pinned dependencies and clearer source provenance.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
logic.ts
let url = `${ZOOMIN_API}?q=${encodeURIComponent(query)}&publication=latest`; ... const response = await fetch(url);

The tool sends user-provided search terms to an external ServiceNow documentation API. This is disclosed and purpose-aligned, but users should know their queries leave the local environment.

User impactSearch terms or requested documentation paths may be shared with ServiceNow-operated services during normal use.
RecommendationUse the skill for documentation lookups, but avoid putting secrets, customer data, or confidential internal details into search queries.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
package.json
"dependencies": { "zod": "^4.3.5" }

The package uses a semver caret range rather than an exact pinned dependency. This is a common, low-risk pattern for a small validation dependency, but it can allow future dependency version drift.

User impactA future install could resolve a newer compatible dependency version than the one originally reviewed.
RecommendationFor stronger reproducibility, pin dependencies exactly or include a lockfile/provenance information when distributing the skill.