ClawHub Security Scan
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a coherent local security-scanning helper, but users should notice that some commands use a SkillPay API key to bill a small per-call charge.
This skill looks reasonable for scanning a ClawHub skill folder. Before using it, confirm you are comfortable with the SkillPay per-call charge, provide the API key only intentionally, and avoid pointing the scanner at broad private directories outside the skill you want reviewed.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the paid command with a valid SkillPay key can charge the user's SkillPay account.
The precheck command uses a SkillPay API key to call an external billing charge endpoint. This matches the disclosed paid-skill model, but it is still payment/account authority that users should understand before running.
k = api_key or os.environ.get("SKILLPAY_API_KEY") ... headers={"Content-Type": "application/json", "X-API-Key": key} ... return _post("/billing/charge", body, k)Only provide the SkillPay key when you intend to pay for a call; prefer an environment variable over a command-line flag, and the publisher should document SKILLPAY_API_KEY and required billing arguments in the metadata and usage examples.