Back to skill
Skillv0.1.0
ClawScan security
Aport Id · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 3:23 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with its stated purpose (registering an agent with APort); it asks the agent to collect identity fields, POST to aport.id, and optionally save a passport file and update a README — nothing requested is disproportionate or unrelated.
- Guidance
- This skill appears to do what it says: register an agent with APort and produce a DID-style passport. Before installing or invoking it, consider: (1) Confirm the external endpoint (https://aport.id) is legitimate and acceptable for you to send the requested identity fields and email. (2) Do not include secrets or private credentials in the payload; only provide the fields explicitly requested. (3) The skill will offer to write aport-passport.json and modify README — allow those actions only with explicit consent and review the file contents before committing. (4) Be aware that the passport and badge may be publicly visible and that the deliverable contract options (e.g., scan_output) imply content scanning/validation by APort. (5) If you need the agent to avoid transmitting any internal context, instruct it explicitly not to 'suggest defaults based on what you know about yourself.' If you want extra assurance, test the flow with a disposable email or sandbox project first.
Review Dimensions
- Purpose & Capability
- okThe skill's described purpose (obtain an APort passport/DID) aligns with what the SKILL.md asks the agent to do: gather identity fields, choose capabilities, optionally define deliverable policies, POST a JSON payload to https://aport.id/api/issue, and handle the response. It does not request unrelated credentials, binaries, or config paths.
- Instruction Scope
- noteInstructions ask the agent to collect personal/agent identity data, perform an HTTP POST to aport.id, save the returned passport to aport-passport.json, and optionally add a badge to a README. These steps are within the scope of issuing a passport, but they involve sending identifying info to an external service and writing files to the current directory; the agent should only proceed with explicit user consent. The guidance to 'suggest defaults based on what you know about yourself' could lead the agent to include internal context if used carelessly — treat that as a privacy consideration.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This is low-risk from an installation perspective because nothing is downloaded or written by an installer.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The actions in SKILL.md (HTTP POST and optional file writes) do not require additional secrets. There is no disproportionate request for unrelated tokens or keys.
- Persistence & Privilege
- noteThe skill does not request permanent/always-on inclusion and uses default autonomous invocation settings (normal for skills). It will create a public-facing passport and can modify a project's README if the user agrees — those are notable, potentially persistent changes that require user confirmation, but they do not constitute excessive platform privilege.