Back to skill
Skillv1.0.0
ClawScan security
AIOZ Storage Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:08 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions align with its stated purpose (deploying static sites to AIOZ Storage); it asks for expected credentials and uses a local grant-generator script — nothing in the package appears to perform unrelated or hidden data exfiltration.
- Guidance
- This skill appears to do what it says: it will ask you for your AIOZ account email/password, bucket passphrases and rootZKey/accountId so it can create grants and upload site files. Before installing or running it: (1) confirm you trust the AIOZ service and the upstream GitHub templates, (2) avoid reusing high-value passwords — use an account or credentials you can revoke if needed, (3) be aware that using 'npx ts-node' will fetch tooling from the npm registry if ts-node isn't present (run in an isolated environment if you are concerned), and (4) if you have concerns, inspect/execute grant-cli.ts in a sandbox or translate it to a pre-built JS file so you don't rely on npx to pull runtime deps. Overall the skill is internally consistent and not exhibiting hidden/excessive behavior, but handle the requested credentials cautiously.
Review Dimensions
- Purpose & Capability
- okName/description (deploy static sites to AIOZ Storage) match the included artifacts: SKILL.md describes login, template cloning, grant generation, S3 upload and API calls. Required binaries (node, npx, curl) are reasonable for the described flow. The grant-cli.ts implements the grant generation referenced in the flow and is appropriate for the skill's purpose.
- Instruction Scope
- noteInstructions explicitly ask the user for AIOZ email/password, bucket passphrases and to fetch rootZKey from the AIOZ API — these are sensitive but required for the service. The SKILL.md confines actions to cloning the GitHub templates, calling the AIOZ API (api.aiozstorage.network), generating grants with the included script, and uploading to S3 — there are no instructions to read unrelated system files or send data to unexpected endpoints. Verify you trust the AIOZ service before providing credentials.
- Install Mechanism
- noteThere is no install spec; the skill includes grant-cli.ts and a package.json. The recommended invocation uses 'npx ts-node grant-cli.ts', which will cause npx to fetch ts-node if it's not already present. Fetching tools via npx/npm is common here but carries transient supply-chain risk — expected for running a TypeScript script but worth noting.
- Credentials
- okThe skill requests no environment variables or unrelated credentials. It does prompt for service-specific secrets (email/password, passphrases, rootZKey/accountId) that are necessary for creating and registering grants and buckets on AIOZ; these are proportionate to the task.
- Persistence & Privilege
- okThe skill is not always-enabled and doesn't request system-wide configuration or persistent privileges. It does include a local CLI script (grant-cli.ts) which the agent may run during a session; that is normal and limited in scope to grant creation.