Looper Security Report — Low Risk | ClawSafe

10 /100

Looper

Automate content creation, code improvement, and social media posting via Looper (looper.bot)

A straightforward API-wrapping skill for a SaaS content automation service with no malicious indicators.

Skill NameLooper

Duration33.8s

Enginepi

✓

Safe to install

Approve for use. The skill is a thin CLI wrapper around a documented REST API at api.looper.bot, with no hidden functionality.

Findings 1 items

Severity	Finding	Location
Low	Shell/network/env access not declared in capability model Doc Mismatch SKILL.md describes an API-wrapper tool but does not declare network or shell access. The allowed-tools mapping shows Bash→shell:WRITE and WebFetch→network:READ are implied, but SKILL.md omits any allowed-tools declaration. `No allowedTools declared in SKILL.md` → Add an allowedTools declaration to SKILL.md (Bash for script execution, Read for reference files).	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	SKILL.md uses curl to api.looper.bot but does not declare network access as a ca…
Shell	`NONE`	`WRITE`	✓ Aligned	looper-api.sh:42 — curl commands are invoked via bash subprocess
Filesystem	`NONE`	`NONE`	—	No filesystem access found in any file
Environment	`NONE`	`READ`	✓ Aligned	looper-api.sh:6 — reads LOOPER_API_URL and LOOPER_ADMIN_KEY from environment
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocations

9 findings

🔗

Medium External URL 外部 URL

https://looper.bot

SKILL.md:4

🔗

Medium External URL 外部 URL

https://api.looper.bot

SKILL.md:30

🔗

Medium External URL 外部 URL

https://api.looper.bot/api/signup

SKILL.md:38

🔗

Medium External URL 外部 URL

https://api.looper.bot/api/login

SKILL.md:48

🔗

Medium External URL 外部 URL

https://api.looper.bot/api/loops

SKILL.md:62

🔗

Medium External URL 外部 URL

https://api.looper.bot/api/loops/

SKILL.md:149

🔗

Medium External URL 外部 URL

https://api.looper.bot/api/github/connect

SKILL.md:204

🔗

Medium External URL 外部 URL

https://api.looper.bot/api/github/status

SKILL.md:208

🔗

Medium External URL 外部 URL

https://api.looper.bot/api/keys

SKILL.md:216

File Tree

3 files · 11.6 KB · 395 lines

Markdown 2f · 333L Shell 1f · 62L

├─ ▾ 📁 references

│ └─ 📝 api-reference.md Markdown 97L · 3.0 KB

├─ ▾ 📁 scripts

│ └─ 🔧 looper-api.sh Shell 62L · 1.9 KB

└─ 📝 SKILL.md Markdown 236L · 6.6 KB

Security Positives

✓ No base64, eval, or obfuscated code detected anywhere

✓ All network traffic goes to a single, declared API endpoint (api.looper.bot)

✓ No credential exfiltration — LOOPER_ADMIN_KEY is used only for Bearer auth to the legitimate API

✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)

✓ No reverse shell, C2, or data theft indicators

✓ No supply chain risks — no dependencies (requirements.txt, package.json, etc.)

✓ GitHub OAuth flow is documented and scoped to repo access only

✓ The GitHub source link (dbhurley/looper) is a real public repository

Scan Report

Findings 1 items

File Tree

Security Positives