Back to skill
Skillv2.0.0
ClawScan security
Firehose Web Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 6:21 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a Firehose API client: curl plus a tap token (and optionally a management key) are appropriate for the documented management and streaming operations.
- Guidance
- This skill is coherent with the Firehose API. Before installing: only supply the credentials you need — give the skill a tap token (FIREHOSE_TAP_TOKEN) for normal rule management and streaming. Avoid supplying the management key (FIREHOSE_MANAGEMENT_KEY) unless you need to create/list/revoke taps, because a management key can list and reveal other tap tokens. Rotate keys if you suspect exposure, restrict the key's scope where possible, and verify network policies (the skill uses HTTPS calls via curl). If you need least-privilege operation, test with a tap token that has limited rules rather than an admin management key.
Review Dimensions
- Purpose & Capability
- okName/description match the documented endpoints. Required binary (curl) and the two API keys correspond to documented Management and Tap-token capabilities; nothing requested is unrelated to a web-monitoring/SSE API client.
- Instruction Scope
- noteSKILL.md is an API reference describing management and streaming endpoints; it does not instruct the agent to read local files or other system state. Note that the management endpoints explicitly return full tap tokens (GET /v1/taps), so if the management key is supplied the agent can retrieve all tap tokens — this is an API capability, not an unrelated action introduced by the skill.
- Install Mechanism
- okInstruction-only skill with no install spec or external downloads. Lowest-risk installation surface; nothing is written to disk by the skill itself.
- Credentials
- noteRequiring FIREHOSE_TAP_TOKEN is proportionate for streaming and rule management. FIREHOSE_MANAGEMENT_KEY is also requested and is legitimately used to create/list/revoke taps, but it grants broader access (including retrieval of other tap tokens). Only provide the management key if you need organization-level admin actions.
- Persistence & Privilege
- okalways is false and the skill does not request elevated platform persistence or modifications to other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning permissions.