Skillv1.0.0

ClawScan security

Bring! Shopping Lists · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 4:20 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and declared requirements are consistent with its stated purpose of managing a Bring! shopping list; it requires your Bring! email/password and standard Python dependencies and does not request unrelated privileges.
Guidance: This skill appears to do what it says: it uses the bring-api Python package to log into your Bring! account and manage your default shopping list. Before installing: (1) Be comfortable storing BRING_EMAIL and BRING_PASSWORD as environment variables or in a .env file — these are sensitive credentials (consider using an app-specific password if Bring! supports it and avoid reusing your primary password). (2) The metadata marks 'uv' as required, but you can run it with pip and python; you don't have to install uv unless you prefer it. (3) The skill depends on the third-party 'bring-api' package — if you want extra assurance, review that package's repository and history before installing. (4) Prefer setting secrets in a secure store or per-project env rather than globally, and rotate the password if you stop using the skill. Overall, there are no red flags indicating off-purpose behavior, but treat your Bring! password as sensitive and verify the bring-api dependency if you have high security requirements.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the code and declared env vars (BRING_EMAIL, BRING_PASSWORD) and the included bring.py uses the unofficial bring-api library to operate on the user's Bring! lists. One minor mismatch: the registry metadata marks the uv binary as a required binary, but the SKILL.md and README also document a pip installation path that does not need uv — making 'uv' optional in practice. This is a small incoherence but does not change the core functionality.
Instruction Scope: okSKILL.md instructs the agent to set BRING_EMAIL/BRING_PASSWORD, run bring.py via uv or pip, and operate only on the default shopping list. The runtime instructions and code limit actions to listing, adding, removing, and completing items and do not direct the agent to read unrelated files, network endpoints, or other credentials.
Install Mechanism: okThere is no opaque download/install mechanism. The skill is instruction-only (no installer) and provides requirements.txt (bring-api, python-dotenv). These are public Python packages and the code included is readable; nothing is fetched from unknown personal URLs or archives during install.
Credentials: okThe skill requires only BRING_EMAIL and BRING_PASSWORD (declared and used by the code) which is proportionate to authenticating to Bring!. Note: storing a plaintext account password in env/.env is sensitive but expected for this approach; the skill does not request unrelated credentials.
Persistence & Privilege: okNo 'always: true' flag is set; the skill does not request persistent system-wide changes or modify other skills. disable-model-invocation is false (agent may invoke autonomously) — this is the platform default and not excessive by itself.