Back to skill
Skillv1.0.2
ClawScan security
XCrawl Map · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 3:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required tools, and local config access are coherent with a mapping/crawling helper that calls the XCrawl API; nothing requested appears disproportionate or unrelated to that purpose.
- Guidance
- This skill appears to do what it claims: call XCrawl's map API and return the raw response. Before installing, confirm you trust https://www.xcrawl.com and are comfortable storing XCRAWL_API_KEY in plaintext at ~/.xcrawl/config.json (the skill will read and use that key to call run.xcrawl.com). Be aware that the skill returns upstream responses verbatim — discovered URLs and other mapping results will be surfaced unchanged. Limit API key privileges if possible, secure the config file (restrict filesystem permissions), monitor credit usage, and rotate the key if you stop using the skill.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the skill only documents how to call XCrawl's map endpoint. Requested tools (curl/node) and the local config file for an API key are appropriate and proportional to the stated functionality.
- Instruction Scope
- noteInstructions explicitly require reading ~/.xcrawl/config.json for XCRAWL_API_KEY and performing POST requests to https://run.xcrawl.com/v1/map, then returning the raw API response. Reading the local config and sending the API key to the provider is necessary for the task, but the skill will return raw upstream responses (possibly including discovered URLs), so users should expect the agent to surface that data unchanged unless they request summarization.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes disk-write risk; it relies on existing curl/node on PATH which matches the examples.
- Credentials
- okNo unrelated environment variables, system credentials, or config paths are requested. The only local secret is the XCrawl API key stored in ~/.xcrawl/config.json, which is justified by the need to authenticate with the XCrawl API.
- Persistence & Privilege
- okalways:false and normal agent invocation are used. The skill does not request persistent/privileged platform presence or modification of other skills; it merely reads a single user-local config file for the API key.