Skillv1.0.0

ClawScan security

monorepo-navigator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, scope, and examples are coherent with a monorepo navigation/management tool; no unrelated credentials, installs, or hidden endpoints are requested, though it includes powerful repo-changing commands and references optional cache tokens you should be careful with.
Guidance: This is a coherent, instruction-only monorepo guide. Before running anything from it: 1) review any commands that rewrite git history (git filter-repo) and make backups (clone, create tags, or mirror the repo) — those commands are destructive if misused; 2) inspect any example scripts that execute shell commands (the Node execSync example) before running them in your workspace; 3) remote cache configuration mentions TURBO_TOKEN / TURBO_TEAM / TURBO_API — only provide tokens or point caches at servers you trust (a malicious or misconfigured cache endpoint could receive build artifacts or metadata); 4) the examples clone from example GitHub URLs — replace with your real remotes and avoid running commands that fetch/merge unknown repos. If you want greater assurance, ask the skill author for a smaller, non-destructive demo or run commands in an isolated sandbox copy of your repo first.

Review Dimensions

Purpose & Capability: okThe name/description (monorepo tooling) matches the content: Turborepo, Nx, pnpm, changesets, dependency-graph generation, migration steps, CI patterns, and CLAUDE.md guidance are all within the stated purpose. The SKILL.md does reference remote-cache tokens (TURBO_TOKEN, TURBO_TEAM) and DATABASE_URL in example configs, which are relevant to CI/remote-cache setup for monorepos; their mention is appropriate for this domain even though the skill metadata does not declare required env vars.
Instruction Scope: noteThe instructions include shell commands and example scripts that will read and write repository files, run Node (execSync), generate files, perform git operations (git clone, git filter-repo, git merge --allow-unrelated-histories), and contact remote services (Vercel/turbo remote cache, GitHub). These are expected for migration and build tooling, but some operations are destructive (git filter-repo rewrites history, merges with allow-unrelated-histories) and should be run only with backups and review. The skill does not instruct the agent to access unrelated system secrets or non-repo system paths.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. Example scripts are provided for users to run themselves; the skill does not perform installs automatically.
Credentials: noteThe SKILL.md references environment variables that are reasonable for CI and remote caching (TURBO_TOKEN, TURBO_TEAM, TURBO_API, NODE_ENV, DATABASE_URL). The skill metadata does not declare required env vars, which is acceptable for an instruction-only guide, but users should be aware examples assume those variables may exist and be used by the commands. No unrelated third-party credentials are requested.
Persistence & Privilege: okThe skill is not always-enabled, is user-invocable, has no install actions, and does not request persistent platform privileges. It does not modify other skills' configs or platform-wide settings.