Back to skill
Skillv0.1.0
ClawScan security
Godot Project Checklist Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 5:50 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only Godot checklist skill with no code, no installs, and no requested credentials — its requirements and instructions are consistent with the stated purpose.
- Guidance
- This is a low-risk, instruction-only skill that provides checklists and templates for Godot projects. It does not request credentials, install code, or access system files. The SKILL.md even warns against collecting secrets and running remote installers. The only external link is a PayPal donate URL (expected for donations). If you care about provenance, note the skill's source/homepage are not provided — that doesn't indicate maliciousness here but means you can't verify the author easily. If you prefer tighter safety, you can disable autonomous invocation for this skill when installing so it only runs when you explicitly call it. Finally, never paste passwords, private keys, OTPs, or other secrets into prompts — the skill's guidance already advises this.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md content: the skill provides templates, checklists, and guidance for Godot projects. It requests no binaries, credentials, or config paths that would be unrelated to that purpose. (Note: source/homepage are not provided, but that is provenance noise rather than a signal of mismatch.)
- Instruction Scope
- okSKILL.md is narrowly scoped: it describes inputs (non-secret goal, optional notes), outputs (plan, checklist, next actions) and includes explicit safety rules forbidding secrets and remote installers. It does not instruct reading system files, environment variables, or posting data to external endpoints (aside from an optional donation link).
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is written to disk or fetched at install time.
- Credentials
- okNo environment variables, credentials, or config paths are required. The SKILL.md explicitly forbids collecting passwords/keys/secrets, so requested privileges are minimal and proportionate.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. disable-model-invocation is false (normal default) which allows autonomous invocation; this is standard platform behavior and not by itself a red flag. The skill does not request persistent system-wide changes or other skills' configs.