Skillv1.2.0

ClawScan security

Xcode Build Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 12:25 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instructions and requirements are coherent for a macOS tool that reads Xcode DerivedData and parse build logs; no unexplained credentials, installs, or network activity are present.
Guidance: This skill is internally consistent for reading and parsing Xcode DerivedData logs. Before installing: (1) Confirm you trust the skill source (homepage/owner) because the skill reads local build artifacts. (2) Be aware it may need Full Disk Access on macOS — grant that only if necessary. (3) Ensure python3 and the 'strings' utility are available on your machine; SKILL.md uses them but they are not listed in the metadata. (4) Because the skill reads local logs, avoid running it in contexts where sensitive build artifacts should not be exposed, and verify any agent behavior that might forward extracted output externally (the SKILL.md itself contains no network calls).

Review Dimensions

Purpose & Capability: okThe skill's name/description (Xcode build log analysis) matches the actions in SKILL.md: reading ~/Library/Developer/Xcode/DerivedData, parsing LogStoreManifest.plist and .xcactivitylog files to extract timing, warnings, and errors. Required binaries (plutil, gunzip, sqlite3) are appropriate for those tasks. Minor inconsistency: SKILL.md uses python3 and the strings utility in examples but the declared required bins do not list 'python3' or 'strings'. These are commonly present on developer machines but should have been declared.
Instruction Scope: okAll instructions operate on the stated paths under DerivedData and use local tools to parse plists, gzipped logs, and sqlite/JSON. There are no instructions to transmit data to external endpoints or modify files (the doc explicitly states read-only). The file paths and commands referenced are within the scope of analyzing Xcode build artifacts. The SKILL.md does note that Full Disk Access may be required, which is appropriate but increases the scope of readable data at the OS level.
Install Mechanism: okThis is instruction-only (no install spec, no code files). That is low-risk and matches the declared metadata. Nothing is downloaded or written by an installer step.
Credentials: okThe skill requests no environment variables or credentials — appropriate for a local analysis tool. The one notable permission consideration is the OS-level Full Disk Access which the README warns may be needed; granting that is an OS-level decision and could allow broader file reads beyond DerivedData, so users should be cautious.
Persistence & Privilege: okalways:false and default autonomous invocation are appropriate. The skill does not request persistent changes to agent configuration or system-wide settings. There is no evidence it attempts to modify other skills or persist credentials.