Back to skill
Skillv1.0.0
ClawScan security
portfolio-case-study-forge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 7:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and minimal runtime needs are internally consistent with its stated purpose (local drafting/templating for portfolio case studies) and there are no unexpected credentials, network installs, or opaque code paths.
- Guidance
- This skill appears coherent and low-risk: the helper script is small and local, there are no required credentials or remote installs, and the SKILL.md explicitly warns against fabricating metrics. Before installing or running: (1) inspect scripts/case_study_scaffold.py yourself (it's short and harmless); (2) run the helper with --help and use a non-privileged directory to test (it writes a JSON scaffold by default); (3) avoid pasting sensitive credentials or private data into prompts; and (4) if you later ask the agent to save, rename, or publish files, confirm those actions explicitly (the skill prefers preview/draft mode).
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md workflow, resource template, and included helper script all align: they exist to structure project notes into case studies. The single dependency (python3) is reasonable for the bundled script and the functionality described.
- Instruction Scope
- okSKILL.md confines the agent to asking for inputs, producing drafts/checklists/talking points, and using the local script/resource. It explicitly forbids fabricating metrics and recommends preview mode; there are no instructions to read unrelated system files, access secrets, or call external endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only with a local script), so nothing is downloaded or written to disk by an installer. The included script is small, plain-text, and auditable.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill does not request unrelated secrets or external API keys.
- Persistence & Privilege
- okalways:false (default) and no indications the skill modifies other skills or system-wide settings. The helper script writes a local JSON template file by default (args allow specifying output), which is normal and limited in scope.