Skillv1.0.0

ClawScan security

CDISC Library API Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 11:21 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (a CDISC Library API client), but the package metadata omits required credentials and a Python dependency and the code reads a repository TOOLS.md file and writes cache files — these mismatches and behaviors deserve attention before installing.
Guidance: This skill appears to implement a legitimate CDISC Library API client, but the manifest metadata is incomplete. Before installing: 1) Expect to provide a CDISC API key (CDISC_API_KEY) — the code will fail without it; the SKILL metadata should declare this but currently does not. 2) Ensure the Python 'requests' library is available (the package has no install script). 3) Review any TOOLS.md at your repository root (the client will try to read it to extract an API key) and remove any sensitive data from that file. 4) Note the skill writes cache files under skills/cdisc/.cache/ — if this is a shared environment, consider where files will be stored. 5) There's a small apparent syntax/corruption in commands/cache.py (a stray backtick and malformed import/insert line) which may cause runtime errors; consider reviewing/fixing the code before use. If you cannot verify these points or cannot provide a dedicated CDISC API key, avoid installing or running the skill.

Review Dimensions

Purpose & Capability: concernThe skill's name/description and included code consistently implement a CDISC Library API client and expose the CLI commands advertised. However the registry metadata declares no required environment variables or dependencies while the code and SKILL.md clearly require an API key (CDISC_API_KEY or a value in TOOLS.md) and the requests Python package. This mismatch between declared requirements and actual needs is incoherent and should be corrected.
Instruction Scope: noteSKILL.md and the code limit runtime actions to calling https://api.library.cdisc.org, caching responses, and reading an API key. The cdisc_client explicitly attempts to read TOOLS.md (three levels above the file) to find an API key and will fail if no key is found. The skill also creates and writes cache files under its own .cache directory. These behaviors are plausible for the claimed purpose but reading a repo-level TOOLS.md is a broader file access than many users expect.
Install Mechanism: concernThere is no install spec even though the Python code requires the external 'requests' library (the client prints an error and exits if requests is missing). The package ships code files (not just instructions) but the registry metadata did not declare dependencies. That omission is inconsistent and increases installation risk (silent runtime failures or unexpected user prompts to install packages).
Credentials: concernThe only credential the code needs is a CDISC API key (expected for this integration). However the registry did not declare CDISC_API_KEY as required. The client will attempt to read TOOLS.md for an API key, which means it may parse repository files outside the skill directory — this could inadvertently read other content if TOOLS.md contains other secrets. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request 'always' or elevated privileges. It writes cache files into its own 'skills/cdisc/.cache/' directory (normal for caching). It does not modify other skills or global agent configuration. Autonomous invocation is enabled (platform default) but is not combined with unusual privileges here.