Back to skill
Skillv1.0.0
ClawScan security
Task Development Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 2:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only TDD/PR workflow guide that matches its description and requests no installs, credentials, or unexpected system access.
- Guidance
- This is a guidance-only workflow (no code, installs, or credential requests) and is internally consistent with its stated purpose. It appears safe to use as a process checklist. Two practical cautions: (1) the publisher/source and homepage are missing—prefer skills with identifiable provenance if that matters to you, and (2) if you later attach automation (e.g., scripts that integrate with Trello or GitHub), only grant minimal-scoped credentials and be careful with force-push operations, which can rewrite repository history.
Review Dimensions
- Purpose & Capability
- okThe name/description (TDD-first task workflow, Trello task tracking, PR-based review) matches the actual instructions. All required actions are process and human-workflow steps (planning, tests, branches, PRs, Trello card moves). There are no unrelated environment variables, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md and references only give procedural guidance (questions to ask, TDD steps, Trello board columns, PR templates, branch rules). It does not instruct the agent to read system files, environment variables, or send data to external endpoints. One operational note: it mentions 'push force with lease' as a conflict resolution step (an operational risk to repository history if used improperly) but that is a process recommendation rather than hidden automation or exfiltration.
- Install Mechanism
- okNo install spec and no code files — this is instruction-only, which is the lowest-risk install surface. Nothing will be downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. It references Trello and Git workflows but does not request Trello/GitHub tokens or other secrets; if you later automate parts of this workflow, you will need to supply appropriate scoped credentials separately.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system presence or modify other skills/configuration. Autonomous invocation is allowed by default on the platform, but this skill contains only guidance and cannot perform privileged actions on its own.