Skillv1.0.0

ClawScan security

Frontend Doctor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 12:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested environment are consistent with a local frontend static-analysis/diagnostic tool and do not ask for unrelated credentials or remote installs.
Guidance: This skill appears to be a local static diagnostic tool: it will read files in the project directory you point it at (source files, package.json, manifest.json, configs) and print findings. It does not request credentials or contact external servers. If you plan to run it, (1) run it on a copy or in a controlled project if you are concerned about exposing proprietary source snippets in console output, (2) inspect the small JS files yourself if you want extra assurance, and (3) avoid running it from a parent directory that would scan more projects than intended. Overall the package is coherent with its stated purpose.

Review Dimensions

Purpose & Capability: okName/description (frontend diagnostics) align with the actual code: the package provides a CLI that scans project files (HTML, JS/TS, CSS, package.json, manifest.json, configs) and emits diagnostic findings. The only declared runtime requirement is 'node', which is appropriate.
Instruction Scope: okSKILL.md instructs the agent to ask the user for context (framework, errors, console/network output) and to follow a diagnostic checklist. The bundled code likewise reads project files under the supplied cwd and checks for patterns; it does not instruct or attempt to read unrelated system artifacts or to transmit data externally. The agent/CLI does read files from the provided project directory (package.json, manifest.json, config files, source files) which is expected for this tool.
Install Mechanism: okThere is no install spec that downloads arbitrary code at runtime. The package is node-based with local JS files included. No external URLs, archive extracts, or runtime downloads are present in the package files provided.
Credentials: okThe skill declares no required environment variables or credentials. The code checks for .env existence and inspects package.json and source files; it does not request or require secrets, nor does it read or exfiltrate environment variables or credentials.
Persistence & Privilege: okalways:false and no requests to modify agent/system-wide settings. The skill runs as a CLI-like local analyzer and does not write to other skill configurations or assert permanent presence.