Back to skill
Skillv1.0.0
ClawScan security
open-leqi-assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 6:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only helper that documents the open-leqi project structure and gives rules for locating code; its declared requirements, files, and instructions are internally consistent and proportionate to that purpose.
- Guidance
- This skill is a documentation-based code-location and analysis assistant — it contains guides and path mappings for the open-leqi project and asks for nothing sensitive. Before installing, verify you actually want an assistant that assumes the repository is at the documented paths (e.g. D:/leqi/open-leqi/). The skill does not request credentials or perform installs, but it cannot access files that aren't present in the agent environment; if you expect file-level analysis, ensure the repo or relevant files are available and avoid supplying secrets in chats. If you require the agent to read real source files, confirm how those files will be provided and who has access to them.
Review Dimensions
- Purpose & Capability
- okThe skill name/description (project analysis and code-location helper) matches the included SKILL.md and reference documents. There are no unexpected credentials, binaries, or install steps requested that would be unrelated to a code-reading assistant.
- Instruction Scope
- noteSKILL.md gives precise runtime behavior: identify the user's scenario, map to Controller/Service/DAO, return full file paths and analysis. This is appropriate for a code-locating helper, but it assumes the repository exists at the documented paths (e.g. D:/leqi/open-leqi/). The instructions do not direct the agent to read or transmit secrets or to call external endpoints.
- Install Mechanism
- okNo install spec or code execution is provided (instruction-only). Nothing is downloaded or written to disk by the skill package itself.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. Mentions external dependencies (SDK, DB) only as documentation; it does not request access to them.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system presence or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other red flags.