Skillv1.0.2

ClawScan security

Felo SuperAgent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 3, 2026, 8:36 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions mostly match a Felo SuperAgent chat integration, but the package metadata omits the required FELO API credential and the SKILL.md contains unusual instructions (reuse LiveDoc IDs from any source) that could lead to cross-context leaks — review before installing.
Guidance: This skill appears to be a legitimate Felo SuperAgent client, but there are two issues you should consider before installing: 1) Missing declared credential: The scripts require FELO_API_KEY (and may use FELO_API_BASE), but the skill metadata does not list any required environment variables or primary credential. Treat this as a red flag — the skill will attempt to call openapi.felo.ai and needs an API key. Only provide an API key if you trust the skill's origin. Prefer to create a key with the least privileges needed and use an account dedicated to automation (not your main account). 2) Cross-context state reuse: The SKILL.md instructs the agent to 'reuse live_doc_id from ANY source' (including IDs from other skills or prior operations). That can unintentionally mix data or surface resources from other sessions. If you have private LiveDocs or sensitive material in other Felo canvases, this behavior could lead to accidental exposure. Consider asking the skill author to restrict LiveDoc reuse to the same skill/session or to ask the user explicitly each time. Other practical checks: - Verify the skill source (there is no homepage and the owner ID is opaque). Prefer skills with a clear GitHub/homepage and maintained repository. - Inspect the included scripts (you already have them) and confirm the only remote calls go to openapi.felo.ai; if you intend to run, you can review network endpoints and logs locally before supplying secrets. - If you install, set FELO_API_KEY in a restricted environment (not a global shell profile) and consider rotating the key after testing. Given the metadata omission and the 'reuse any source' instruction, treat this package as suspicious until the author clarifies the credential declaration and justification for live_doc reuse.

Review Dimensions

Purpose & Capability: noteName, README, SKILL.md, and the two included scripts implement a conversational SuperAgent client (streaming SSE, LiveDoc association, style library). That aligns with the stated purpose. However, the registry metadata claims no required environment variables or primary credential while both scripts explicitly require FELO_API_KEY (and optionally FELO_API_BASE). This mismatch is an important incoherence: a networked API client legitimately needs an API key, but the skill manifest failed to declare it.
Instruction Scope: concernSKILL.md gives very prescriptive runtime rules (always use --json, print data.answer verbatim, always persist and reuse thread/live_doc IDs). Two concerning instructions: (1) 'Reuse live_doc_id from ANY source' — telling the agent to accept a LiveDoc ID from any prior operation or other skills can cause cross-session/ cross-skill context mixing and accidental disclosure of resources. (2) Forcing verbatim output of data.answer and appending image URLs prevents the agent from sanitizing or adding user-protective context. While these may be intended for fidelity, they widen the scope of what the agent will surface without review.
Install Mechanism: okNo install spec is present (instruction-only + included scripts). There is no network download/install step in the manifest — the code is shipped in the skill bundle. This is low installation risk compared with remote installers.
Credentials: concernThe scripts require an API key (FELO_API_KEY) and optionally FELO_API_BASE, which is proportionate to an API client. However, the skill metadata / registry omitted these required environment variables and lists none — that's an incoherence. The omission could cause users or automated installers to miss that a secret is needed, or misrepresent the required privileges. No other unrelated credentials are requested.
Persistence & Privilege: noteThe skill asks to persist and reuse thread and live_doc IDs across calls to maintain continuity — this is expected for a multi-turn chat skill. 'always' is false, and the skill does not request to become always-enabled or change other skills. The instruction to reuse LiveDoc IDs from any source is noteworthy: it increases blast radius for cross-context state reuse but is not the same as gaining system-wide privileges.