Skillv1.0.0

ClawScan security

Swiftlint · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 9:50 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only wrapper for running the SwiftLint CLI that is internally consistent with its stated purpose and does not request extra credentials or install arbitrary third-party payloads — note that autocorrect operations will modify local files, so take usual precautions (commit/backup) before running.
Guidance: This skill is coherent and appears to do only what it says: guide and run the SwiftLint CLI. Before using it: 1) Commit or back up your repository before running --fix/autocorrect since those commands change files. 2) If you want to avoid any modifications, instruct the agent to only lint (no --fix) or request a dry run. 3) Installing via brew/mint/SPM is normal; if you require strong provenance, verify that Homebrew/Mint will pull the official realm/SwiftLint sources. 4) Because the skill is instruction-only, there is no bundled code to inspect; its behavior depends on the local swiftlint binary — ensure you trust that binary/version in your environment. If you are uncomfortable with an agent autonomously running fix operations, restrict autonomous invocation or explicitly require confirmation before applying fixes.

Purpose & Capability: okName, description, and declared requirement ('swiftlint') align with the actual instructions. All required actions are about installing/running SwiftLint (brew / mint / SPM) and managing linting/reporting; there are no unrelated dependencies or surprising claims.
Instruction Scope: okSKILL.md only instructs the agent to run SwiftLint commands (lint, fix, reporters, rules) and common shell helpers (cat, grep). It does not ask the agent to read unrelated system files, access environment secrets, or transmit data to external endpoints. It does instruct autocorrect (--fix), which will modify project files and thus requires user consent/precautions.
Install Mechanism: noteThe skill is instruction-only (no automated install spec). It recommends installing via Homebrew, Mint, or SwiftPM — all standard distribution mechanisms for SwiftLint. This is low risk, but users should be aware 'brew install' will fetch a binary from Homebrew (verify Homebrew sources if you require strict provenance).
Credentials: okNo environment variables, credentials, or config paths are requested. The lack of secrets is appropriate for a linting CLI skill.
Persistence & Privilege: okFlags show no forced permanence (always: false). disable-model-invocation is false (normal platform default), meaning the agent can invoke the skill autonomously; given the skill is low-privilege and coherent, this is acceptable but be mindful of autonomous autocorrect actions.