Back to skill
Skillv1.0.1
ClawScan security
PropAI Live · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 11:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it bundles a local license client and optional license API template that match the SKILL.md instructions; nothing in the files appears to perform unrelated or hidden exfiltration.
- Guidance
- This package is primarily a licensing client and a small license-api template that matches the SKILL.md. Before installing or running it: (1) Understand that activating a license will send your license key plus a machine fingerprint (derived from hostname, platform, user) to the license API (default documented production URL). (2) Activation stores a licenseToken and metadata in ~/.propai-live/license-state.json (you can override the directory). Treat that file as sensitive and use scripts/license-deactivate.mjs or clearState to remove it if needed. (3) If you don't trust the default production endpoint, use the --api flag or PROPAI_LIVE_LICENSE_API_URL to point to a license server you control; running the included license API requires setting DATABASE_URL and deploying PostgreSQL. (4) There are no hidden network endpoints or obfuscated code, but review any remote API URL you supply and be cautious with the license key. If you want extra assurance, inspect the state file contents and the network calls (e.g., via a local proxy) before using production credentials.
Review Dimensions
- Purpose & Capability
- okThe code and SKILL.md align with a realtor automation suite that enforces licensing. The included license client scripts and a small license-api template are reasonable components for a product that gates write operations. No unrelated cloud credentials or unrelated binaries are requested.
- Instruction Scope
- noteRuntime instructions ask the agent to run the included Node CLI scripts (activate/status/guard/deactivate) and the 'propai-live' CLI. Those scripts: (1) call a license API (default production URL documented), (2) read/write a local state file (default ~/.propai-live/license-state.json) and (3) derive a machine fingerprint from hostname/platform/username. This behavior is coherent for license enforcement, but it's important to note the scripts store licenseToken and metadata locally and will contact the license API; SKILL.md documents --api and the PROPAI_LIVE_LICENSE_API_URL option.
- Install Mechanism
- okThere is no external install download; this is an instruction-only skill with bundled Node scripts and a small express/pg sample server. No remote archives or URL-shortened installers are used. Running the included server requires Node and a PostgreSQL DATABASE_URL if you choose to run it.
- Credentials
- noteNo required environment variables are declared in the registry metadata, which matches the skill being usable via CLI flags. The code does use optional env vars (PROPAI_LIVE_LICENSE_API_URL, PROPAI_LIVE_STATE_DIR, PROPAI_LIVE_MACHINE_ID) and the license-api server requires DATABASE_URL to run. Those env vars are reasonable and documented for this purpose. The scripts require a user-supplied license key (sensitive) which is sent to the license activation endpoint; this is proportionate but worth being aware of.
- Persistence & Privilege
- noteThe skill stores license state and tokens in a file under the user's home directory (~/.propai-live/license-state.json) and derives/stores a machine fingerprint. This is expected for activation/entitlement checks, but means local persistent secrets (licenseToken) are created; the skill does not declare always:true or modify other skills.