Back to skill
Skillv1.0.0
ClawScan security
Txt Col Align · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 9:45 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (aligning delimiter-separated text); it does not request credentials, perform network I/O, or install additional software.
- Guidance
- This skill appears to do exactly what it claims: format delimiter-separated text for readability. Consider that the source/homepage is unknown — if you plan to install/use it beyond running the included script, inspect or run tool.py locally to confirm behavior. Because it's a plain script, installation typically means saving the file and making it executable; no secrets or network access are needed. If you require a packaged/official tool, prefer a version from a known repository or source.
Review Dimensions
- Purpose & Capability
- okName/description (align text table columns) align with the provided code: tool.py reads stdin or a file, detects a delimiter, computes column widths, and prints aligned text. No unrelated capabilities (cloud access, secrets, network) are present.
- Instruction Scope
- okSKILL.md examples and usage stay within the stated purpose (running the CLI on files or piped input). The runtime instructions do not ask the agent to read other files, environment variables, or send data externally. Minor editorial mismatches: examples/epilog in tool.py use 'colalign' while SKILL.md uses 'txt_col_align', but this is a cosmetic inconsistency, not a security concern.
- Install Mechanism
- okThere is no install spec (instruction-only skill) and the shipped tool.py is a simple standalone script; nothing is downloaded from external URLs or extracted to disk during install.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths and the code does not read environment variables or secret files.
- Persistence & Privilege
- okSkill is not always-enabled and does not modify other skills or global agent config. It runs only when invoked and requires no elevated privileges.