Skillv0.1.0

ClawScan security

Abstract Trimmer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 9:22 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (local Python script that trims abstracts); it requests no credentials or network access and its behavior matches the documentation, though some documentation claims are overstated and should be verified by the user.
Guidance: This skill appears to do what it claims: a small local Python script that trims abstracts. Before installing/using: - Review the source (scripts/main.py) yourself if you will process sensitive or unpublished abstracts — the script will open any file path you provide and write output to the path you specify. It does not enforce sandboxing or extra path sanitization. - SKILL.md contains a minor contradiction: it shows pip install -r requirements.txt but no requirements.txt is included and the script uses only the Python standard library. Confirm there are no hidden dependencies before running pip commands. - The trimming is regex- and heuristic-based. Test thoroughly: automated removals can accidentally drop nuance or important phrasing (especially in Methods/Results). Always perform a human review of any trimmed abstract before submission. - If you need stronger guarantees (no network I/O, stronger path validation, or stricter preservation of numeric/statistical content), run the script in an isolated environment (VM/container) and inspect or modify the code to add explicit validations/logging. Overall risk is low and coherent with the stated purpose, but verify the few documentation claims and run human validation on outputs.

Review Dimensions

Purpose & Capability: okName/description (abstract trimming) matches the included Python script and usage examples. The script implements regex-based trimming strategies and file/stdin I/O consistent with the stated features (conservative/balanced/aggressive, check-only, JSON/text output).
Instruction Scope: noteRuntime instructions direct running the local Python script with input via file, stdin, or a CLI flag and writing output to a file or stdout — scope remains limited to user-provided text and files. However, the SKILL.md asserts protections (e.g., input validation, sandboxing, no network access) that are not enforced or implemented in the code; the code performs no additional validation beyond opening the provided input path and could read any file path the user supplies.
Install Mechanism: okNo install spec or third-party downloads are present; the skill is instruction-only plus a local script. Nothing is downloaded or executed from external URLs. This is a low-risk install surface.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The code does not access network, secrets, or other environment variables. Required privileges are limited to standard file read/write operations as directed by the user.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent privileges or modify other skills or global agent configuration. It runs only when invoked and does not autonomously persist state.