Back to skill
Skillv1.0.0
ClawScan security
Apple Search Ads · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 5:37 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose (managing Apple Search Ads via asa-cli); it mostly only instructs the agent to use the ASA CLI and local config, but it expects the CLI and Apple Search Ads credentials to be available even though the metadata doesn't declare them.
- Guidance
- This skill looks like a straightforward guide for using the asa-cli tool — it is coherent with its purpose. Before installing or using it: (1) Ensure you have asa-cli from a trusted source (the skill does not install it for you). (2) Be aware the commands will read/write ~/.asa-cli/config.yaml and token_cache.json and may read a local private key file you point to; avoid providing private keys you don't trust. (3) The skill metadata omitted declaring required binaries and optional env vars (ASA_CLIENT_ID, ASA_TEAM_ID, ASA_KEY_ID, ASA_PRIVATE_KEY_PATH), so provide only the minimal credentials/scopes needed (or use ephemeral credentials). (4) If you want to limit blast radius, run these commands in an isolated environment or review ~/.asa-cli/ contents after use. (5) If you need higher assurance, ask the publisher for the asa-cli binary source and a manifest so you can verify it before running.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md clearly targets Apple Search Ads and documents asa-cli commands for campaigns, ad groups, keywords, and reports — that matches the skill name/description. However, the metadata declares no required binaries or credentials while the instructions assume the presence of the asa-cli binary and Apple Search Ads credentials (client-id, team-id, key-id, private key path or env vars). This is a minor inconsistency in metadata vs runtime expectations, not an indication of hidden behavior.
- Instruction Scope
- okThe runtime instructions remain focused on ASA management and related utilities (jq, date). They do reference reading/writing the ASA CLI config and token cache in ~/.asa-cli/ and using a local private key path; these filesystem actions are expected for a CLI-based integration and are within the stated scope.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so there is nothing being downloaded or written by the skill itself. The only install expectation is that the asas-cli binary (asa-cli) is present on PATH — the metadata should have declared that but did not.
- Credentials
- noteThe SKILL.md documents environment variable overrides (ASA_CLIENT_ID, ASA_TEAM_ID, ASA_KEY_ID, ASA_ORG_ID, ASA_PRIVATE_KEY_PATH) and describes use of a private key file and token cache. The metadata lists no required env vars or primary credential. The credentials referenced are appropriate for Apple Search Ads usage, but the metadata omission is an inconsistency the user should be aware of.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills. It will read/write its own CLI config under ~/.asa-cli/, which is normal for a CLI integration and within scope.