Skillv1.0.0

ClawScan security

Tenqua OpticalQuantumSkill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 5:50 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions align with its stated purpose (an optical/photonic quantum-kernel simulator); it does not request credentials, external network access, or elevated persistence and its behavior is limited and local.
Guidance: This skill appears to do what it says: a local optical-quantum kernel simulation implemented in Python. Before running, (1) inspect the included script (already small and readable) and confirm you are comfortable executing it; (2) ensure the runtime has Python and numpy installed; (3) run it in an isolated environment (container or VM) if you treat unreviewed code as sensitive; and (4) note there are no network calls or credential requests in the code, so there is no obvious exfiltration vector. If you need guarantees for production use, request an explicit dependency/install section and a reproducible build/test process.

Review Dimensions

Purpose & Capability: noteThe name/description (optical quantum kernel simulator) match the included Python implementation. Minor inconsistency: the package includes a Python script that imports numpy but the skill metadata does not declare dependencies or an install step. That is an operational omission (you need numpy available to run the script) but not a functional or security mismatch with the stated purpose.
Instruction Scope: okSKILL.md describes a single simulation command and embeds the full source. The runtime behavior shown in the code is limited to local numeric computation, randomness, printing output, and argument parsing. The instructions do not direct the agent to read unrelated system files, access environment variables, or transmit data to external endpoints.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes installation risk. Note that the included script requires Python + numpy; because no dependency/install step is declared, users must ensure the runtime environment has these available. No downloads or archive extraction are present.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The code does not attempt to read secrets or external configuration. Required permissions are minimal and proportionate to a local simulation task.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent/privileged presence or modify other skills or system-wide settings. It runs as an on-demand local script.