Skillv0.1.0

ClawScan security

Aport Handoff · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 3:24 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This instruction-only skill is internally consistent with its stated purpose: it builds a verifiable handoff by calling APort verification endpoints and producing a saved handoff document.
Guidance: This skill is coherent and lightweight, but note it will perform network verification against aport.io and produce a local handoff file. Before installing or invoking it: 1) confirm aport.id / aport.io are services you trust and that decision IDs you publish are safe to share; 2) be explicit about where the agent may save files and whether it may post to GitHub/Slack/Discord — grant those permissions only when you approve; 3) if your APort decisions are private or require authentication, verify how your agent will authenticate (the skill doesn't request credentials itself); and 4) if you do not want any external network calls, do not allow the agent to run this skill or block network access for it.

Purpose & Capability: okThe skill's name/description (packaging verified work for handoff) matches the actions it requires: fetching APort decisions and assembling a handoff document. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope: noteSKILL.md instructs the agent to perform HTTP GETs to aport.io verification endpoints, assemble a markdown handoff, save a local copy, and optionally deliver it via GitHub, Slack, Discord, or other messaging tools (with user permission). These actions are within the stated scope, but they involve network calls and writing a local file — the user should be aware the agent will contact an external API and may post to third-party channels if allowed.
Install Mechanism: okNo install spec and no code files are present (instruction-only), so nothing is written to disk at install time and no third-party packages are pulled in.
Credentials: okThe skill declares no required environment variables or credentials. It mentions using an APort passport and optional CLI (npx aport-id) as a prerequisite, which is reasonable for verifying decisions and is not requested as a secret by the skill itself.
Persistence & Privilege: okalways:false and no special system-level privileges are requested. The skill does ask the agent to save a local copy of the handoff and optionally send it to external channels, but it does not modify other skills or request persistent elevated privileges.