Back to skill
Skillv1.0.0
ClawScan security
Labradoc Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 6:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an internally consistent CLI client for the Labradoc API: its code, README, and SKILL.md align with the stated purpose and there are no disproportionate or unexplained requests.
- Guidance
- This skill appears to be what it says: a Labradoc CLI client. Before installing or running the binary: 1) verify the binary comes from the official repository and check cryptographic checksums/signatures if available; 2) review the README/SKILL.md and the command list so you understand what data can be uploaded or requested (files upload, file search, API key creation, etc.); 3) note that OAuth uses a local HTTP callback and tokens are stored under ~/.config/labradoc/cli (clear them with 'labradoc auth logout' if needed); 4) be careful if you override --api-url or API_URL — pointing it at an unfamiliar endpoint could send your tokens/data elsewhere; and 5) if you want extra assurance, build the CLI locally from the included source rather than running a prebuilt binary.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, README, and the included Go source implement a CLI for Labradoc API operations (tasks, files, auth, integrations, billing). The requested behaviors (API token or OAuth, reading config, storing tokens) are expected for this purpose.
- Instruction Scope
- okSKILL.md instructs downloading the CLI from GitHub Releases and using API token or OAuth; it documents config precedence and commands. The runtime instructions and code only reference API endpoints for Labradoc and local config/token files. The OAuth flow opens a localhost callback (standard) and tokens are stored under the user config directory (~/.config/labradoc/cli), which matches the documentation.
- Install Mechanism
- noteNo automated install spec in registry; SKILL.md recommends fetching prebuilt binaries from GitHub Releases (https://github.com/zamedic/labradoc-cli/releases). Fetching binaries from GitHub releases is common but users should verify authenticity (checksums/signatures) before running third-party binaries.
- Credentials
- noteThe skill uses API tokens or OAuth and documents environment variables (API_TOKEN, API_URL, KEYCLOAK_URL, etc.) and config files. The registry metadata lists no required env vars; that is not harmful but means the skill treats those vars as optional overrides. Token storage on disk (~/.config/labradoc/cli/token.json and pkce.json) is expected for OAuth flows.
- Persistence & Privilege
- okThe skill does not request permanent 'always' inclusion, does not alter other skills, and only persists its own tokens/config under the user config directory. Autonomous invocation is allowed by default but is not combined with other concerning privileges.