Back to skill
Skillv1.0.0
ClawScan security
Nightscout-Local · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 12, 2026, 4:27 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The code and runtime behavior match a read-only Nightscout reader, but the skill's documentation and metadata contain inconsistencies (hardcoded user paths and an undeclared env var) that warrant caution before installation.
- Guidance
- This skill appears to do what it says (read-only Nightscout queries), but before installing: 1) verify or correct SKILL.md paths — the docs reference /Users/serveradmin/... and a current_bg.py that is not included; running those commands as-is may fail or reveal irrelevant filesystem paths. 2) Provide NIGHTSCOUT_BASE_URL explicitly at runtime (the script uses it though the metadata didn't declare it). 3) Inspect the included Python script locally — it's short and readable and only issues HTTP GETs to the configured Nightscout URL and prints JSON. 4) Only point the skill at Nightscout endpoints you trust (no credentials are used, but the skill will contact whatever URL you provide). 5) If you plan autonomous use, ensure the agent is restricted to only trusted Nightscout sites. If you want higher assurance, ask the publisher to fix the documentation inconsistencies and explicitly declare NIGHTSCOUT_BASE_URL in the skill metadata.
Review Dimensions
- Purpose & Capability
- noteThe Python script and SKILL.md implement read-only Nightscout reads (current, recent, status) which is coherent with the skill name and description. However, the skill metadata lists no required env vars while SKILL.md and the script rely on an environment variable NIGHTSCOUT_BASE_URL (or --url). Also SKILL.md references an alternate helper path (/Users/serveradmin/.openclaw/workspace/scripts/current_bg.py) that does not match the included script (scripts/nightscout_read.py).
- Instruction Scope
- concernInstructions include absolute filesystem paths specific to a user (/Users/serveradmin/.openclaw/...) and a reference to a different script (current_bg.py) that is not present in the package — this is sloppy and may cause confusion/failure. Otherwise the instructions only tell the agent to call the bundled script and set a base URL; the script only performs HTTP GETs to the provided Nightscout endpoint and prints JSON (no hidden network destinations).
- Install Mechanism
- okThere is no install spec and no external downloads; the skill is instruction-only with a small included Python script. No archives or third-party installers are used.
- Credentials
- noteThe skill does not request credentials and operates with an optional NIGHTSCOUT_BASE_URL (or --url). That env var is reasonable for its purpose but was not declared in the skill's required env metadata — an inconsistency the user should be aware of.
- Persistence & Privilege
- okalways is false, the skill does not request persistent/system-level configuration, and the script does not modify system state or other skills. Agent autonomous invocation is allowed but not unusual.