Back to skill
Skillv1.2.0
ClawScan security
Trade Show Exhibitor Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 12:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it only needs a Lensmor API key and its instructions call the Lensmor API to return exhibitor matches as described.
- Guidance
- This skill appears to do exactly what it says: call Lensmor's exhibitor search using your LENSMOR_API_KEY. Before installing or using it, verify the Lensmor vendor/domain (platform.lensmor.com) and the API key's permissions; don't paste secrets or personally-identifiable data into company_url/target_audience fields if you want to avoid sharing them with a third-party. Test with non-sensitive inputs first, check Lensmor's privacy/processing policies, and ensure you can revoke/rotate the API key if needed. Because the skill sends your inputs to an external API, treat provided business intelligence as shared data with that vendor.
Review Dimensions
- Purpose & Capability
- okName/description match what the skill does: it queries Lensmor's exhibitor search endpoint. Declared requirements (single LENSMOR_API_KEY) and referenced endpoints (platform.lensmor.com) align with the stated purpose; no unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md gives precise runtime steps: check LENSMOR_API_KEY, collect company_url or target_audience, optionally resolve event_id, POST to /external/exhibitors/search, and format results. It does not instruct reading other files, scanning unrelated env vars, or sending data to non-Lensmor endpoints. It will, however, transmit user-provided company URLs and free-text audience descriptions to the external Lensmor API (expected behavior for this skill).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by an installer. This is the lowest-risk install model.
- Credentials
- noteOnly requests a single LENSMOR_API_KEY (declared as primary), which is proportionate to its function. Note that user inputs (company_url, target_audience) will be sent to the Lensmor service — consider whether those inputs contain sensitive or proprietary data before submitting them.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent presence or to modify other skills or system settings.