Back to skill
Skillv0.0.3
ClawScan security
Sophiie AI Office Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 6:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, required tools/credentials, and runtime instructions align: it legitimately needs curl, jq, and a Sophiie API key to call api.sophiie.ai and the shipped script implements only those calls.
- Guidance
- This skill appears internally consistent and only needs your Sophiie API key to make authenticated HTTPS calls to api.sophiie.ai. Before installing: (1) Confirm you trust the skill source (registry owner ID is present but homepage/source are limited); (2) Prefer using a sandbox/test key (sk_test_*) or a key scoped to minimal permissions if Sophiie supports scoping; (3) Be aware the script will make live API calls (60 req/min rate limit) and will act with whatever privileges the key grants; (4) Review updates before accepting new versions since the skill runs a local shell script. If you don't trust the key's scope or the publisher, do not install or use a full-production key.
Review Dimensions
- Purpose & Capability
- okName/description describe Sophiie REST API management and the skill only requests curl, jq, and SOPHIIE_API_KEY — all directly relevant to making authenticated HTTP calls to the documented api.sophiie.ai endpoints.
- Instruction Scope
- okSKILL.md and scripts/sophiie.sh restrict actions to the listed Sophiie API endpoints. The script builds JSON payloads with jq (avoiding string interpolation), only references SOPHIIE_API_KEY, and does not read other files, credentials, or send data to any other external host.
- Install Mechanism
- okNo install spec (instruction-only plus a local script). Nothing is downloaded or executed from external/obscure URLs; the provided shell script will run locally and uses standard system tools (curl, jq).
- Credentials
- okOnly SOPHIIE_API_KEY is required and is the documented primary credential for the Sophiie API. No unrelated secrets, config paths, or extra credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence or modify other skills/config; it's a normal, on-demand agent skill that uses an included script.