Skillv1.0.6

ClawScan security

Pre Flight · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 1:04 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (preventing unauthorized agent actions) matches what it asks for and how it operates, but it will send natural-language descriptions of proposed actions to an external API—so review what you allow the agent to disclose to that service.
Guidance: PreFlight is coherent for its purpose: it will call an external ICME API and needs your ICME_API_KEY and ICME_POLICY_ID to operate. Before installing, decide whether it's acceptable for your agent to send descriptions of proposed actions (which may include recipients, amounts, file paths, or other sensitive text) to a third-party service. If you proceed: (1) limit the data the agent includes in action descriptions (use redaction or abstract descriptions where possible), (2) use a policy_id scoped to the minimal resources, (3) rotate and scope the API key, and (4) review ICME's privacy/payment terms (the skill references paid check endpoints and an x402 payment flow). The small metadata mismatch (primaryEnv present in SKILL.md but not in registry metadata) is not a functional issue but you may want to confirm the canonical primary credential before onboarding.

Review Dimensions

Purpose & Capability: okName/description claim to enforce policy checks before consequential actions aligns with required environment variables (ICME_API_KEY, ICME_POLICY_ID) and the SKILL.md instructions which call an external ICME API. One minor registry inconsistency: the SKILL.md metadata lists primaryEnv: ICME_API_KEY while the registry metadata earlier reported no primary credential — this is superficial and does not change capability alignment.
Instruction Scope: noteThe SKILL.md instructs the agent to POST plain-English action descriptions and plans to ICME endpoints (checkLogic, checkRelevance, checkIt). That is coherent for a guardrail. However, because the agent will typically send descriptions of proposed actions, those requests can include sensitive data (recipients, file paths, transaction details). The skill does not instruct reading arbitrary host secrets or system files, but it does recommend running relevance checks 'before every action', which could cause frequent outbound transmission of action text.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No packages or archives are downloaded or extracted by the skill itself, minimizing installation risk.
Credentials: noteRequested env vars (ICME_API_KEY, ICME_POLICY_ID) are appropriate and limited to the external policy service the skill integrates with. There are no unrelated credentials or config paths requested. Consider that the API key grants the external service the ability to receive action descriptions tied to your policy_id and produce verdicts; if those action descriptions contain sensitive data, you are effectively sending that data to the provider.
Persistence & Privilege: okalways is false and the skill is instruction-only (no background persistence or config modification). The skill can be invoked autonomously by the agent (disable-model-invocation is false), which matches its purpose as a runtime guardrail. It does not request system-wide or other-skills' configuration access.