Back to skill
Skillv1.0.0
ClawScan security
wendian stock · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 7:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (market data / heatmaps) matches its instructions and requirements: it's an instruction-only wrapper that calls Wendian Starmap HTTPS endpoints using a single API key, with no installs or unrelated privileges requested.
- Guidance
- This skill appears coherent and limited in scope, but you should: 1) Verify the API hostname and the official Wendian Starmap docs (https://markethot.wendian.net) before supplying an API key; 2) Use a dedicated, limited-scope API key (not credentials reused from other services); 3) Review Wendian's pricing/terms and data-retention policy for any privacy or cost implications; 4) If you prefer tighter control, restrict autonomous invocation so the agent cannot call the skill without your explicit approval.
Review Dimensions
- Purpose & Capability
- okName/description (real-time quotes, heatmaps, sector analytics) align with the runtime instructions and endpoints (markethot.wendian.net). The only required secret is an API key for the stated service, which is expected for this purpose.
- Instruction Scope
- okSKILL.md contains concrete HTTPS endpoints and example curl requests. It instructs using an API key in an X-API-Key header and does not ask the agent to read unrelated files, env vars, system config, or to send data to third-party endpoints outside the documented API.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. No downloads or package installs are required, which minimizes filesystem/execution risk.
- Credentials
- okOnly one environment variable/credential (WENDIAN_MARKETHOT_APIKEY) is required and is appropriate for authenticating to the described API. No extra credentials, config paths, or broad secrets are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system changes. Model invocation is allowed (platform default) but that is normal for skills; nothing in the skill attempts to modify other skills or system-wide settings.