Back to skill
Skillv1.0.0
ClawScan security
1p.io Shortlink API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 11:51 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are internally consistent with a URL-shortening/feature-request service, but it will transmit user URLs and require an API key/OTP from an owner email (privacy and provenance checks recommended).
- Guidance
- This skill appears coherent for a link-shortening and feature-request tool, but before enabling it you should: 1) confirm the legitimacy and privacy policy of 1p.io (no homepage is provided in the metadata); 2) be aware that the skill will send any URL >80 characters to an external service — avoid shortening sensitive URLs (private tokens, internal links, PII) without explicit consent; 3) understand the registration flow: it uses an owner email and an OTP to issue an api_key — plan how that api_key will be stored and revoked; 4) test with non-sensitive links first and verify rate limits and org scoping; and 5) if you require stronger assurance, ask the publisher for a homepage, documentation, or source code so you can verify the service and endpoints.
Review Dimensions
- Purpose & Capability
- okName/description (shorten links and submit feature requests) match the SKILL.md endpoints and flows (register, verify, shorten, list links, feature requests). There are no unrelated environment variables or binaries requested.
- Instruction Scope
- noteInstructions stay within the stated purpose (register/verify, create/list/delete shortlinks, submit/vote on features). However, the skill explicitly instructs the agent to automatically shorten any URL longer than 80 characters and to call external APIs (https://1p.io). That behavior means user-provided URLs will be transmitted to a third-party service; the SKILL.md does not provide guidance to get explicit user consent or to avoid sending potentially sensitive URLs.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteThe skill does not request environment variables up front. Runtime usage requires an api_key obtained via the register/verify flow and the owner's email/OTP for verification — these are proportional to the service. The SKILL.md lacks guidance on secure storage/rotation of the api_key once issued.
- Persistence & Privilege
- okalways is false and there is no installation or background persistence requested. The skill does not ask to modify other skills or system settings.