Back to skill
Skillv1.0.2
ClawScan security
T.LY URL Shortener · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 6:36 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's behavior (it requires and uses a T.LY API token) matches its stated purpose, but the package metadata omits that required credential and there are a few proportionality/verification gaps you should resolve before installing.
- Guidance
- This skill appears to do what it says (shorten URLs via T.LY) but has a metadata inconsistency and a few verification steps you should perform before use: 1) Only provide a TLY API token (TLY_API_TOKEN) when you trust the skill — the metadata should list this env var but currently doesn't. 2) Prefer setting the token as an environment variable rather than pasting it into chat or commands to avoid leakage in logs. 3) If you plan to install the recommended PyPI package, review its publisher, source code, and recent releases on PyPI/GitHub before pip installing. 4) Ask the skill maintainer (or registry) to update the registry metadata to declare TLY_API_TOKEN as the required primary credential so the permission model is accurate. If you cannot verify the PyPI package or the maintainer, treat the skill with caution.
Review Dimensions
- Purpose & Capability
- okThe skill's name and description (create T.LY short links) align with the runtime instructions which call the T.LY API or the official SDK/CLI. Requiring a T.LY API token is expected for this purpose.
- Instruction Scope
- noteSKILL.md stays within the shortener domain: it checks for TLY_API_TOKEN, validates URLs, prefers the official SDK/CLI, and gives a curl fallback to api.t.ly. It explicitly warns not to hardcode keys and to prefer env vars. It does not instruct reading unrelated files or exfiltrating data to unexpected endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files. It recommends installing the published PyPI package (tly-url-shortener-api) if available, which is a reasonable, low-risk suggestion — but the PyPI package should be reviewed before installation.
- Credentials
- concernThe SKILL.md explicitly requires a TLY_API_TOKEN env var, but the registry metadata lists no required environment variables or primary credential. That mismatch is an incoherence: the skill needs a secret to operate but the metadata does not declare it. Also, the curl example embeds the API token in the JSON payload (expected for the API) — the skill warns about not hardcoding keys, but users should avoid pasting tokens into public chats/command logs.
- Persistence & Privilege
- okThe skill does not request persistent installation, does not set always:true, and does not claim to modify other skills or global config. Autonomy is enabled by default (disable-model-invocation:false) which is normal; no additional privileges are requested.