Back to skill
Skillv1.0.0
ClawScan security
Json Key Sorter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 10:31 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The included code and runtime instructions match the skill's stated purpose of sorting JSON keys; it requests no credentials, makes no network calls, and has no install steps.
- Guidance
- This skill appears to do exactly what it claims: sort JSON keys. Before installing or running it, review the included tool.py (already provided) and consider running it on sample data first. Note that SKILL.md is slightly truncated — usage is evident from the script. Be aware the script reads the entire JSON into memory (large files may use a lot of RAM) and will overwrite the specified output file without additional prompts. If you run untrusted code, execute it in a restricted environment or sandbox.
Review Dimensions
- Purpose & Capability
- okThe skill name/description (sort JSON object keys) aligns with the provided artifact: tool.py reads JSON, uses json.dumps(..., sort_keys=True) and writes sorted output. No unrelated binaries, env vars, or services are requested.
- Instruction Scope
- noteSKILL.md usage matches the tool (reading from file or stdin, writing to file or stdout). The usage documentation appears truncated (the third example is incomplete), but there are no instructions that access unrelated files, environment variables, or external endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only skill). A single Python script is included; nothing is downloaded or extracted during install.
- Credentials
- okThe skill declares and requires no environment variables, credentials, or config paths; the code does not read env vars or external secrets.
- Persistence & Privilege
- okThe skill is not always-enabled and uses normal model-invocation settings. It does not modify other skills or system-wide configuration.