Back to skill
Skillv1.0.0
ClawScan security
SecretCodex · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 8:46 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description, runtime instructions, and lack of required credentials/install steps are internally consistent with a harmless educational/code-name and cipher helper — nothing in the files asks for unrelated credentials or system access.
- Guidance
- This skill is internally consistent and appears safe for educational use, games, and code-name generation. Keep in mind: (1) don't use these ciphers for real sensitive data — the README itself warns that modern crypto (AES/RSA/Signal etc.) is required for true security; (2) share keys only via separate, trusted channels as the skill recommends; (3) provenance is unclear (no homepage, unknown owner ID), so if you need an auditable or production-grade tool prefer a skill from a known source or one that includes code you can review. If you plan to rely on this for anything critical, ask the publisher for source links or an installable implementation you can audit.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md/README: generating code names and teaching/performing classic and hybrid ciphers. The skill requests no binaries, env vars, or config paths that would be unrelated to this purpose.
- Instruction Scope
- okSKILL.md contains only generation guidance, encoding/decoding algorithms, examples, and key-sharing advice. It does not instruct the agent to read local files, environment variables, or contact external endpoints, nor does it request broad discretionary data collection.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files to run. That minimizes on-disk execution risk and aligns with the declared 'pure knowledge' implementation.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths — appropriate for an offline/educational cipher helper. There are no requests for unrelated secrets.
- Persistence & Privilege
- okFlags are default (not always: true). The skill does not request persistent system modifications or cross-skill config changes; autonomous invocation is allowed by platform default and is reasonable for a user-invocable helper.