Back to skill
Skillv1.0.0
ClawScan security
API Health Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 14, 2026, 6:11 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (API testing and reporting) aligns with its instructions and it requests no unexpected installs or credentials — it appears to do what it says.
- Guidance
- This skill is coherent for API testing, but exercise caution when providing secrets or testing internal endpoints. Do not paste long-lived production API keys into prompts unless you trust the environment; prefer short-lived or scoped tokens. Decide in advance whether response bodies and headers (which may contain sensitive data) should be included in reports. Limit tests to the endpoints you control and avoid instructing the skill to scan internal/localhost addresses unless you intend that. If you need continuous monitoring, verify how results will be stored or transmitted — this instruction-only skill does not declare any persistent storage or transmit destinations, so ask the publisher how reports are delivered and retained before sending sensitive data.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md instructions: sending HTTP requests, validating responses, handling auth headers, measuring timing, and producing reports. There are no declared environment variables, binaries, or installs that don't belong to an API health checker.
- Instruction Scope
- noteInstructions are limited to making HTTP requests and validating responses, which is appropriate. They allow arbitrary endpoints, custom headers, and request bodies (including authentication tokens). That is expected for this purpose, but it also means the skill will accept and use sensitive values provided by the user and can be pointed at internal/private endpoints if the user asks it to.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This minimizes risk from installation artifacts — nothing is downloaded or written to disk by an installer.
- Credentials
- noteThe skill declares no required environment variables or credentials, which is consistent because authentication is expected to be provided per-request via headers or bodies. Users should be aware this means any API keys or bearer tokens must be supplied in prompts or request configurations (not stored by the skill).
- Persistence & Privilege
- okalways is false and the skill is user-invokable (normal). The SKILL.md does not request persistent background monitoring or self-enablement, so it does not ask for elevated or permanent privileges.