Back to skill
Skillv1.0.0
ClawScan security
amidyfortest · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 5, 2026, 3:00 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions generally match a travel-query client, but there are inconsistencies and sloppy declarations (mismatched names, undeclared environment variables, hard-coded defaults) that warrant caution before installing or using it.
- Guidance
- This skill appears to be a simple client that sends the user's full query to a backend booking service. Before installing or using it: 1) verify which skill you are installing (registry metadata name 'amidyfortest' vs SKILL.md 'trip-assistant'); 2) confirm and set BOOKING_API_BASE_URL to a trusted endpoint — the default points at host.docker.internal:8763 (local service) and could be wrong or unintended; 3) review whether you want the user's entire message (including any personal or payment info) to be sent to that backend; 4) consider replacing the hard-coded default user ID or supplying your own via BOOKING_API_USER_ID; 5) test the script against a staging endpoint first and inspect the backend (booking_assistant.fastapi_serve) to ensure it behaves as expected. These inconsistencies look like sloppy configuration rather than overtly malicious behavior, but they increase risk and should be resolved before trusting the skill.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md and scripts implement a trip-assistant that posts user queries to a backend /trip/chat/stream endpoint — this aligns with the stated travel/booking purpose. However the package metadata name ('amidyfortest') and the SKILL.md name ('trip-assistant') do not match, and the skill metadata declares no required environment variables while both SKILL.md and the script rely on BOOKING_API_* environment variables and CLI flags.
- Instruction Scope
- noteInstructions stay within the travel-query scope (run the provided script with the user's full query and return the backend response). They explicitly ask the agent/user to send the full original message to the backend; that means any sensitive content in user messages will be transmitted. The docs also instruct how to run a FastAPI server (uvicorn booking_assitant.fastapi_serve:app), which is operational guidance but not intrinsically out-of-scope.
- Install Mechanism
- okNo install spec is present and this is an instruction-only skill with a small Python script; nothing is downloaded or written during install.
- Credentials
- concernThe script and SKILL.md use environment variables BOOKING_API_USER_ID, BOOKING_API_ENV, and BOOKING_API_BASE_URL (with defaults embedded), but the skill registry metadata lists no required env vars or primary credential. The presence of a hard-coded default user ID (a Mongo-like ID) and a default base URL pointing to host.docker.internal:8763 are noteworthy — they may cause accidental requests to local services or leak an identifier. The skill will transmit the user's full query to the backend, so environment/credential omissions and defaults make it unclear what credentials or endpoints will actually be used.
- Persistence & Privilege
- okThe skill does not request persistent privileges (always is false) and contains no code that modifies other skills or system-wide configs. It only communicates with an external backend when invoked.