Back to skill
Skillv1.3.0
ClawScan security
TiDB Cloud Zero · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 9:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper that documents how to create ephemeral TiDB 'Zero' instances via an unauthenticated public API; its requirements and instructions align with that purpose.
- Guidance
- This skill is a documentation/instruction pack for using TiDB Cloud Zero and is internally consistent with that purpose. Before installing or using it: verify the API hostname (zero.tidbapi.com / zero.tidbcloud.com) is the legitimate provider you expect; avoid placing sensitive or regulated data into ephemeral, unauthenticated databases (instances are public and auto-expire); if you use auto-embedding BYOK, prefer secure secret management rather than embedding long-lived provider API keys into SQL globals; and if you want to keep an instance, follow the claimUrl process before expiresAt. If you have doubts about the endpoint's legitimacy, test with non-sensitive data first.
Review Dimensions
- Purpose & Capability
- okName/description claim (provisioning ephemeral MySQL-compatible TiDB Zero instances) matches the SKILL.md API call, network requirements, and references to MySQL clients. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteThe instructions are limited to calling the public API and connecting with standard MySQL clients. The included reference docs additionally show how to configure BYOK model keys via TiDB globals (SQL SET @@GLOBAL... examples). That is expected for auto-embedding functionality but is an operational/privacy consideration (it instructs storing provider API keys in the DB environment if users choose BYOK).
- Install Mechanism
- okInstruction-only skill with no install spec, no downloads, and no code files — minimal surface area and nothing written to disk by the skill itself.
- Credentials
- noteThe skill declares no required environment variables or credentials, which matches the unauthenticated API described. However, reference docs describe BYOK usage that would require external API keys (OpenAI, Cohere) and examples for setting them as TiDB global variables — these are optional but users should not assume the skill will handle or need those keys by default.
- Persistence & Privilege
- okSkill does not request persistent presence (always:false), does not modify other skills or system settings, and has no install-time privileges.