Back to skill
Skillv2.0.0
ClawScan security
Cin7 Inventory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 9:20 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's scripts, required binaries, and environment variables match its stated Cin7 inventory-management purpose; nothing in the files indicates unrelated or hidden behavior.
- Guidance
- This skill appears coherent for managing Cin7 Core via bash scripts. Before installing or running: (1) only provide the Cin7 account ID and app key — avoid putting unrelated secrets into the skill's .env because the scripts export every .env key; (2) review and, if desired, run the scripts in an isolated account or container to validate behavior; (3) confirm the API base URL matches your Cin7 instance and official docs; (4) inspect the update-order JSON construction (it injects the ID via sed) if you plan to pass complex JSON to ensure it produces valid payloads; and (5) verify you trust the skill source (homepage/owner metadata) since code runs locally.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, bash), required env vars (CIN7_ACCOUNT_ID, CIN7_APP_KEY), and all script functionality consistently target the Cin7 Core API. The API headers, endpoints, and operations implemented (products, stock, orders, purchases, customers, suppliers) align with the declared purpose.
- Instruction Scope
- noteSKILL.md instructs running the included bash scripts from the skill directory; the scripts do only HTTP calls to the Cin7 API and parse command-line args. One notable behavior: scripts source a .env file (if present) and config.sh exports every key/value found, which is broader than strictly necessary if the .env contains unrelated secrets. Otherwise the instruction scope is narrow and consistent with the stated task.
- Install Mechanism
- okThis is instruction-only / script-based with no install spec and no network downloads or package installs. All code is provided in the bundle and executed with bash/curl, which is low-risk compared to remote install steps.
- Credentials
- noteThe skill requires only two Cin7-related environment variables (CIN7_ACCOUNT_ID, CIN7_APP_KEY), which is proportionate. Caveat: config.sh will load and export all variables from a .env file in the skill directory (and falls back to CIN7_API_KEY), so placing other secrets in that .env could expose them to the scripts' runtime environment.
- Persistence & Privilege
- okThe skill does not request persistent/always-on privileges and does not modify other skills or system-wide agent settings. It appears to run only when invoked.