Back to skill
Skillv2.1.1
ClawScan security
Roadmap Communicator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose (roadmaps, release notes, changelogs); it has no network calls, no credential requests, and only reads git history as advertised.
- Guidance
- This skill appears coherent and limited in scope, but exercise normal caution before enabling code from an unknown author: 1) The included script reads your git commit messages — those can contain sensitive info, so review the output before sharing externally. 2) Inspect scripts locally (you can read scripts/changelog_generator.py, which is small and clear) and run them in a trusted environment. 3) Ensure git and python3 are present and that you run the script in the intended repository or with --stdin/--demo to avoid exposing unrelated commit history. If you need provenance, ask the publisher for a homepage or source repository before broad deployment.
Review Dimensions
- Purpose & Capability
- okThe name/description (roadmap, release notes, changelogs) align with the included templates and a changelog generator script. There are no unrelated binaries, environment variables, or config paths requested. Source/homepage are missing (author unknown), but that doesn't make the capability inconsistent.
- Instruction Scope
- okSKILL.md instructs the agent to produce communication artifacts and optionally run the provided changelog_generator.py to read git commit messages. The script only reads git commit subjects (or stdin/demo) and formats them; it does not access other files, environment variables, or external endpoints.
- Install Mechanism
- okNo install spec; this is instruction-only with an included Python script. No downloads or extracted archives. The script is runnable with system Python and expects git on PATH if used.
- Credentials
- okNo required environment variables, credentials, or config paths are declared or used. The only runtime dependency is git (checked at runtime) and python3, which are appropriate for the stated functionality.
- Persistence & Privilege
- okalways is false and the skill does not request permanent or system-wide changes. There is no code that modifies other skills or agent configuration.