Skillv1.0.3

ClawScan security

Ai Provider Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 5:50 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a multi-provider AI API bridge: it calls the explicit cloud APIs and a local Ollama endpoint and only requires provider API keys for the providers you choose to use — but review network calls and secret handling before installing.
Guidance: This skill appears to do what it says: it routes chat requests to the declared cloud APIs or a local Ollama instance. Before installing, consider the following: - Only provide API keys for providers you intend to use; granting keys gives the code the ability to send your prompts and history to those cloud services. - The bridge will include conversation history and any system prompt you set in requests to external APIs — that may expose sensitive data. Review where you set system prompts and what you include in history. - The source uses only Node built-ins (http/https) and the hosts it calls are the expected provider endpoints (api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, api.x.ai, api.mistral.ai) and the configured Ollama host. If you plan to use Ollama, keep the host pointed at a local instance (default 127.0.0.1) and avoid pointing it at unknown remote servers. - The SKILL.md had a prompt-injection pattern flag; that appears to be a conservative scanner match. If you are risk-sensitive, open and review SKILL.md and src/ai-bridge.js fully (particularly any remaining code after the truncated portion) to ensure there are no hidden endpoints or surprising behaviors (e.g., arbitrary URLs built from untrusted input). - If you need higher assurance, run the code in an isolated environment, inspect network traffic on first use, and avoid storing provider keys in plain text where other software can read them.
Findings: [system-prompt-override] unexpected: A prompt-injection pattern was flagged in SKILL.md frontmatter. The SKILL.md discusses system prompts and documents setSystemPrompt()/removed buildSystemPrompt(), but I did not find active instructions that attempt to override the agent's system prompt or exfiltrate secrets. This looks like a cautious false-positive or a detection of content that references system prompts; still worth a human review of the frontmatter and any embedded YAML for hidden instructions.

Review Dimensions

Purpose & Capability: okName/description (unified interface for multiple AI providers) matches the code and SKILL.md: the implementation routes requests to Anthropic, OpenAI, Google, xAI, Mistral, or a local Ollama instance. Requesting API keys for those providers is expected and proportional.
Instruction Scope: noteSKILL.md documents optional env vars and usage examples that map process.env values into the bridge's config. The bridge itself expects API keys passed in the config object (this.config.*) and will throw if you attempt to use a provider without configuring its key. The skill sends conversation history and an optional system prompt to external APIs — this is expected for a chat bridge but is a privacy/data-exposure consideration you should accept consciously.
Install Mechanism: okNo install spec is present; the package contains only source and docs and uses Node's built-in http/https modules. There is no download-from-URL or third-party dependency installation in the manifest.
Credentials: noteSKILL.md declares multiple provider API keys as optional env vars, which is appropriate for this multi-provider bridge. Registry metadata lists no required env vars — not a security issue, but a minor mismatch: API keys are optional unless you plan to call that provider. The code uses config properties rather than implicitly reading process.env, so supplying keys via constructor is required for cloud providers.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It does not attempt to modify other skills or system settings. It does make outbound HTTPS/HTTP requests to known provider hostnames and to a configurable Ollama host.