Back to skill
Skillv3.2.0
ClawScan security
Tariff Watch Clean · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 12:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it's an instruction-only integration that expects you to run a local FastAPI backend and does not request unrelated credentials or elevated platform privileges.
- Guidance
- This skill appears coherent, but before using it: (1) understand that the AI will call a local FastAPI server on http://localhost:8000 — you must run and trust that backend code (the skill points to a GitHub repo); review that repository before running pip install or starting the server. (2) Optional API keys (EXCHANGERATE_API_KEY, FREIGHTOS_API_KEY) grant the backend access to third-party services — only provide them if you trust the backend. (3) The backend writes a SQLite DB (default ~/.tariff-watch/) — if you change the data directory, avoid pointing it at sensitive locations. (4) The agent will suggest HTS codes automatically; classification can be wrong — always confirm critical classifications and legal interpretations with a licensed customs broker. (5) If you run this inside a hosted/managed agent environment, verify that localhost calls reach the intended service and that running third-party code is allowed and sandboxed.
Review Dimensions
- Purpose & Capability
- okThe name/description (landed-cost / tariff calculations) aligns with the instructions: all runtime actions are HTTP calls to a local FastAPI backend serving tariff, FX, shipping, and compliance endpoints. No unrelated credentials, binaries, or system access are requested.
- Instruction Scope
- okSKILL.md tells the agent to infer HTS codes and call well-defined localhost endpoints (e.g., /tariff/{hts_code}/effective, /landed-cost). It does not instruct reading arbitrary host files, scanning system state, or exfiltrating data to third-party endpoints. The scope is limited to querying the local service and presenting results.
- Install Mechanism
- okThere is no registry install spec (instruction-only). The README documents how to run a FastAPI backend from a GitHub repo; that is expected for this functionality. Because code execution happens when you run the backend yourself, review the upstream repository before installing.
- Credentials
- okNo required environment variables are declared. Optional keys (EXCHANGERATE_API_KEY, FREIGHTOS_API_KEY, TARIFF_WATCH_DATA_DIR) are appropriate and justified for premium FX/shipping data and data storage. There are no unrelated or excessive credential requests.
- Persistence & Privilege
- okSkill flags show no always:true and normal autonomous invocation. The backend persists data to a local SQLite path (~/.tariff-watch/ by default), which is consistent with the described auto-refresh/history behavior and is proportional to the service's needs.