Back to skill
Skillv0.1.21
ClawScan security
Theta EdgeCloud Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 11:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested credentials are consistent with a cloud-API client for Theta EdgeCloud and do not request unrelated system access.
- Guidance
- This skill is a coherent Theta EdgeCloud API client—only provide the project-scoped API key and project id unless you intend to use optional features (on-demand, inference endpoint, or video) that require additional tokens. For safer first use set THETA_DRY_RUN=1, avoid supplying unrelated secrets, and rotate keys if you decide to remove the skill later. If you need higher assurance, review the included dist/*.js files (they make HTTPS requests only to theta domains and validate hosts) or run the skill in a restricted test account with minimal billing/credits before granting production credentials.
Review Dimensions
- Purpose & Capability
- okName/description, declared primary env (THETA_EC_API_KEY) and project id align with the implemented clients and commands that call thetaedgecloud.com, ondemand, and thetavideoapi domains. Optional additional credentials mentioned in SKILL.md reasonably map to optional feature families (on-demand, inference endpoint, video).
- Instruction Scope
- okSKILL.md explicitly limits behavior to cloud API operations. Runtime handlers and the distributed code perform only HTTP(S) calls to Theta domains, validate endpoints (disallow loopback/private hosts), and avoid local shell/file I/O per the provided implementation. No instructions ask the agent to read arbitrary local files or exfiltrate unrelated secrets.
- Install Mechanism
- noteThere is no install spec (no external archive download), which lowers install risk. However, the artifact is not purely instruction-only: compiled dist files and package.json are included in the bundle. This is consistent with the SKILL.md note that it is a 'dist/docs bundle' for inspection and runtime use; still, users should be aware code will be loaded/executed by the agent runtime.
- Credentials
- okOnly THETA_EC_API_KEY and THETA_EC_PROJECT_ID are required; other env vars are optional feature-specific knobs. The primary credential requested matches the stated controller/deployment functionality. No unrelated cloud credentials or system secrets are required.
- Persistence & Privilege
- okSkill does not request always:true and does not declare system-wide config or cross-skill modifications. Autonomous invocation is allowed by default (normal), but the skill's scope and env requirements are narrow.