Back to skill
Skillv0.0.1
ClawScan security
uctoo-api-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 7:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, docs, and runtime instructions are consistent with an API-integration skill for the UCTOO backend and do not request unexplained privileges or external installs.
- Guidance
- This skill appears to do what it says: translate user requests into calls to the UCTOO backend. Before enabling it, consider: (1) it will make network requests to the backend (default host https://javatoarktsapi.uctoo.com) — only enable if you trust that endpoint, (2) you or users may provide credentials (username/password) during login flows; the service/platform will store session tokens for automatic injection — ensure you’re comfortable with that behavior, (3) the package includes optional helper scripts that, if run locally, will call the backend and may log responses (check scripts/api_client*.py/js and test_api.py before running), and (4) docs reference BACKEND_URL and other env vars though the skill metadata does not declare them as required — if you need the skill to target a different host, set BACKEND_URL accordingly. If you want further assurance, review the test scripts and token-handling logic in scripts/api_client.* to confirm how tokens and logs are handled.
Review Dimensions
- Purpose & Capability
- okThe name/description (uctoo backend API integration) align with the included SKILL.md and the scripts, which all target the same backend URL and standard CRUD/auth endpoints. The skill does not request unrelated credentials or system access in its registry metadata.
- Instruction Scope
- noteSKILL.md instructs the agent to call the provided backend via the runtime http_request tool and relies on an automatic per-session token management behavior. That is coherent for an API skill. Small scope notes: the repository docs and scripts refer to environment variables (BACKEND_URL, DEEPSEEK_API_KEY in README) and include CLI test scripts (python/js) which, if executed, will make network calls and may print/store tokens — these are optional manual artifacts and are not required by SKILL.md at runtime.
- Install Mechanism
- okThere is no install spec; the skill is instruction-first and ships helper scripts. Nothing downloads remote code during install and no archive URLs or external package installs are specified.
- Credentials
- noteThe registry metadata declares no required env vars or credentials, which matches SKILL.md. However several documentation files and scripts reference BACKEND_URL and (in README) DEEPSEEK_API_KEY as optional configuration — this is a mild inconsistency (docs mention env vars though the skill doesn't require them). The scripts default to the public javatoarktsapi.uctoo.com host if BACKEND_URL isn't set.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request persistent system-wide privileges. The SKILL.md describes session-level token storage/injection (platform feature) but the skill itself does not request extra persistence or attempt to modify other skills.