Back to skill
Skillv0.0.2
ClawScan security
Find API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 9:09 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only guide that recommends public data APIs and gives sample code; it does not request credentials, install arbitrary software, or perform unrelated system access.
- Guidance
- This is an instruction-only catalog of public APIs and usage examples and is internally consistent. Before installing or using it: 1) be aware some recommended APIs require API keys—only provide keys you trust and scope them narrowly; 2) the examples suggest running pip install in your environment—only install packages from sources you control and audit packages if needed; 3) if you allow autonomous agent invocation, the agent could call external APIs at runtime (with any keys you provide), so limit credentials and monitoring accordingly; 4) consider rate limits, cost, and licensing for the listed APIs. Overall low-risk but exercise normal caution when supplying real API credentials or installing packages.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md content: it is a cross-domain catalog of data APIs and usage examples. The recommended packages and APIs (e.g., akshare, yfinance, OpenWeatherMap) are consistent with the stated purpose.
- Instruction Scope
- okRuntime instructions are examples and guidance for selecting and using APIs. Examples include pip install lines and placeholders for API keys (e.g., YOUR_API_KEY) but do not instruct the agent to read unrelated files, environment variables, or system configuration, nor to send data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec and no code files to run. The SKILL.md shows recommended 'pip install' commands as usage examples, which is normal for a Python-focused API guide; nothing is downloaded or executed by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The examples reference API keys as placeholders where appropriate; that is expected for API usage and not disproportionate. The skill does not request unrelated credentials or config paths.
- Persistence & Privilege
- okalways is false and the skill is user-invocable (normal). It does not request persistent system privileges or modify other skills' configs.