Back to skill
Skillv2.0.0
ClawScan security
Apicheck · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 7:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its description: it provides templates and helper scripts for building API requests, generating curl commands, mock data, docs, and status/header explanations and does not request extra credentials or perform unexplained network or file access.
- Guidance
- This skill appears to be what it claims: a set of helper scripts and templates for API work. Before installing or running, note that the included script will create a per-user data directory (APICHECK_DIR or default ~/.local/share/apicheck) and write small log files there. The skill does not request credentials, but avoid pasting real tokens or secrets into prompts or example fields. If you prefer tighter control, inspect the scripts locally and run them in a sandboxed environment; you can also set APICHECK_DIR to a location you control. Autonomous invocation is allowed by default on the platform (not unique to this skill) — if you are concerned about automatic execution, use platform controls to restrict autonomous skill execution.
Review Dimensions
- Purpose & Capability
- okName/description (API request builder, curl, mock data, docs, status codes, headers) match the provided scripts and SKILL.md. No unrelated env vars, binaries, or permissions are requested.
- Instruction Scope
- okSKILL.md and scripts only produce templates and examples; they do not instruct reading arbitrary system files, exfiltrating data, or calling external endpoints beyond example image URLs in mock data. There is no vague 'gather whatever context you need' instruction.
- Install Mechanism
- okNo install spec is provided (instruction-only). The included scripts are plain shell templates; nothing is downloaded or extracted from third-party URLs at install time.
- Credentials
- okThe skill declares no required env vars or credentials. The scripts reference common environment variables (APICHECK_DIR, XDG_DATA_HOME, HOME) only to determine a data directory; this is proportionate to a local CLI tool that writes its own logs.
- Persistence & Privilege
- noteThe skill does write logs and data to a per-user data directory (APICHECK_DIR or default $XDG_DATA_HOME/$HOME/.local/share/apicheck). It does not request always:true and does not modify other skills or system-wide configs.