Back to skill
Skillv1.0.2
ClawScan security
Reveal Product Feedback · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 3:34 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested credential and runtime instructions match a Reveal feedback API integration and are internally consistent; nothing requested is disproportionate to the described functionality.
- Guidance
- This skill appears to be a straightforward client for the Reveal API. Before installing, confirm you trust the Reveal service and the skill's homepage (https://testreveal.ai) and that the publisher is legitimate. Only provide a REVEAL_API_KEY with the minimum required privileges, rotate it if possible, and avoid sharing long-lived master keys. Be cautious when registering webhooks: the skill will ask to point Reveal event callbacks at user-provided URLs (those endpoints will receive event payloads), and the skill will return a signing secret that you should store securely. Also verify you control or trust any custom REVEAL_BASE_URL if you set that env var. If you need higher assurance, ask the publisher for source provenance or a code artifact you can review.
Review Dimensions
- Purpose & Capability
- okName/description ask to manage Reveal feedback and marketing workflows; the only required credential is REVEAL_API_KEY and the SKILL.md calls only Reveal API endpoints (products, review-tasks, insights, marketing endpoints). The declared primaryEnv aligns with the claimed purpose.
- Instruction Scope
- noteRuntime instructions stay within the Reveal API (GET/POST/PATCH to base URL, optional REVEAL_BASE_URL override). The instructions do include registering webhooks to user-provided URLs and returning signing secrets (expected for webhook flows) — this means external endpoints may receive event payloads and should be trusted by the user.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing is written to disk or downloaded during install.
- Credentials
- okOnly one credential (REVEAL_API_KEY) is required and it directly maps to the Reveal API usage described. An optional REVEAL_BASE_URL may be used to override the base URL. No unrelated secrets, system paths, or extra credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modifications to other skills. The skill will run only when invoked and follows normal autonomous-invocation defaults.