Back to skill
Skillv1.0.0
ClawScan security
collab-offer-polisher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 8:36 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (polishing collaboration messages); it only reads the macOS clipboard and prints it for the agent to rewrite, with no network calls or unrelated credentials requested.
- Guidance
- This skill is coherent with its stated purpose and contains a small script that reads the macOS clipboard and prints it for the agent to rewrite. Before using it: (1) ensure you're on macOS (pbpaste required); (2) do not put secrets or sensitive personal data in the clipboard when invoking the skill, because the clipboard contents will be sent to the agent for rewriting; (3) you can inspect scripts/read_clipboard.mjs (already included) — it uses only pbpaste and does not make network calls or access other files; (4) if you need cross-platform support, request an alternative that uses a different clipboard method. If any of these points are a concern, do not install or invoke the skill.
Review Dimensions
- Purpose & Capability
- okName/description (polish collaboration offers) align with required binaries (node + pbpaste) and the included script which reads clipboard text for rewriting. The dependency on pbpaste is consistent with the README noting macOS.
- Instruction Scope
- noteRuntime instructions tell the agent to run scripts/read_clipboard.mjs which executes pbpaste and prints the clipboard contents surrounded by markers. This is within scope for a text-polishing skill but has a privacy implication: it will expose whatever is currently on the user's clipboard to the agent.
- Install Mechanism
- okNo install spec (instruction-only plus a small included script). No downloads or archive extraction; nothing is written to disk beyond the existing skill files. Low-risk installation footprint.
- Credentials
- okNo environment variables, credentials, or config paths requested. The lack of extraneous secrets is proportionate to the described functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent or elevated privileges and does not modify other skills or system-wide settings.