Skillv1.0.0

ClawScan security

ollama-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 8, 2026, 3:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and dependencies are consistent with its stated purpose of integrating Ollama into agents and IDEs; it does not request unrelated credentials or perform unexpected actions.
Guidance: This skill appears coherent and focused on Ollama integration. Before installing: (1) review and trust the referenced GitHub repo and example code (you will run pip/npm installs); (2) run installs in an isolated environment (virtualenv/container) and inspect requirements for any packages you don't recognize; (3) only provide OLLAMA_API_KEY to code you trust and prefer to use local Ollama if you need to keep data on-prem; (4) if you plan to run the docker-compose, verify the image name and volumes are acceptable for your environment.

Review Dimensions

Purpose & Capability: okName/description (Ollama integration for agents/IDEs) aligns with included files: examples, adapter, requirements (ollama, openai, anthropic), and docker-compose for local Ollama. The requested artifacts (examples, Python adapter) are proportionate to an integration skill.
Instruction Scope: okSKILL.md and example scripts instruct cloning the repo, setting OLLAMA_HOST/API_BASE/MODEL and optionally OLLAMA_API_KEY for cloud use, installing Python/Node deps, and running examples. Instructions reference only local endpoints (localhost) and Ollama cloud; they do not direct the agent to read unrelated host files or exfiltrate data to unexpected endpoints.
Install Mechanism: okNo built-in install spec; the skill is instruction+examples. Dependencies are declared in requirements.txt and package.json and are standard packages (ollama, openai, anthropic, dotenv, requests, zod). No downloads from obscure URLs or extracted archives were found. docker-compose uses the official 'ollama/ollama' image.
Credentials: okThe skill does not declare required env vars; examples use OLLAMA_HOST, OLLAMA_API_BASE, OLLAMA_MODEL, OLLAMA_EMBED_MODEL and optionally OLLAMA_API_KEY for cloud access. These are appropriate and minimal for configuring local vs cloud Ollama endpoints and do not request unrelated secrets.
Persistence & Privilege: okNo elevated privileges requested. 'always' is false and the skill does not modify other skills or system-wide agent settings. It does not request persistent presence or hidden background execution.