Skillv0.1.1

ClawScan security

Ai Search Rank Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 24, 2026, 9:00 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what its README and code claim (query LLM engines and build visibility reports), but registry metadata and install/instruction details are inconsistent with the code: it requires API keys and installs npm packages but declares no required environment variables or install spec, so proceed with caution.
Guidance: What to consider before installing: - This repository will call external LLM provider APIs (OpenAI for ChatGPT, Anthropic for Claude, and possibly other routing layers). You must provide API keys (expected via a .env file), but the skill listing did not declare those required env vars — treat that as an omission, not absence of requirement. - Installing runs npm install (see scripts/install.sh / package.json). That fetches packages from the public npm registry (openai, @anthropic-ai/sdk, dotenv). If you want to be cautious, inspect scripts/install.sh, run npm install in an isolated environment (container, VM), or vendor/verify dependencies before executing on a machine with sensitive data. - The skill will send your prompts and brand names to third-party LLM providers when you run it. Do not put secrets or private data into prompt files unless you trust the configured provider and account billing/retention policies. - The primary incoherence here is metadata: the registry claims no required env vars, but the code and SKILL.md require API keys. Ask the publisher to update skill metadata to list required environment variables (e.g., OPENAI_API_KEY, ANTHROPIC_API_KEY, and any router-related vars) and to document exactly which keys are mandatory and optional. - Recommended actions: review scripts/install.sh, review src/* for any unexpected outbound endpoints, run in an isolated/containerized environment, provide only provider API keys (rotate them if you later suspect misuse), and verify the publisher/source (this package appears to be a local project; no upstream homepage was provided).

Review Dimensions

Purpose & Capability: noteThe codebase and package.json depend on OpenAI and Anthropic SDKs (openai, @anthropic-ai/sdk) which match the stated purpose of querying ChatGPT and Claude. That dependency footprint is proportionate to the skill's described goal. However the registry metadata lists no required env vars or primary credential even though the project clearly expects API keys (SKILL.md: 'Configure keys in .env' and outputs show Missing ANTHROPIC_API_KEY / OpenAI quota errors). The lack of declared credentials in the metadata is an incoherence.
Instruction Scope: noteSKILL.md instructs running scripts/install.sh and node src/index.js with a prompt JSON and explicitly tells the user to configure keys in .env and that Anthropic/OpenAI and OpenRouter/EZRouter setups are supported. The runtime instructions stay within the stated purpose (no broad system file reads or unrelated data collection are instructed). The only scope issue is that the skill's runtime requires external API credentials (implied but not declared) — SKILL.md does mention configuring .env, so behavior is not hidden but the metadata omission is inconsistent.
Install Mechanism: okThere is no registry install spec, but the repo includes scripts/install.sh and package.json requiring npm dependencies (openai, @anthropic-ai/sdk, dotenv). Installing will run npm install and fetch packages from the public npm registry; no suspicious remote downloads or archive extraction from unknown hosts were observed. The minor risk: an included install script exists but the skill metadata does not advertise an install step — this is an operational inconsistency but not a direct code-hosting red flag.
Credentials: concernThe project clearly expects API keys (OpenAI, Anthropic, possibly OpenRouter/EZRouter or other provider config) and accesses them via .env/dotenv at runtime, but the skill registry lists no required env vars or primary credential. This mismatch is problematic because users installing the skill may not be warned that sensitive API keys will be needed and used. Requiring multiple provider keys is proportionate to multi-engine tracking, but the omission in declared requirements increases the risk of accidental exposure if the user misconfigures .env or shares output files.
Persistence & Privilege: okThe skill is not always-enabled and does not request special platform privileges. It does not declare system config paths or claim to modify other skills. It will perform network calls to external LLM provider endpoints (expected for purpose) but otherwise does not request elevated persistence or cross-skill config changes.