Back to skill
Skillv1.0.0
ClawScan security
Use Cartograph · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 12:54 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions line up with its stated purpose: it simply tells the agent to prefer the Cartograph CLI/MCP when available and contains no unrelated requirements or installs.
- Guidance
- This skill is essentially a set of instructions to use your existing Cartograph CLI or MCP server; it doesn't install anything or ask for secrets. Before enabling: ensure you actually have a trusted Cartograph binary or MCP endpoint available and that your agent has appropriate access to the repo you want analyzed. If Cartograph's server or a wiki 'provider' requires credentials in your environment, you'll need to provide them separately — review those provider requirements and the trustworthiness of the Cartograph installation before running. If Cartograph is not available, the skill will fall back to repo-surveyor as instructed.
Review Dimensions
- Purpose & Capability
- okName/description promise (repo orientation, task-scoped context, doc inputs) matches the runtime instructions which call cartograph analyze/context/wiki. The skill does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- okSKILL.md stays on-topic: it directs the agent to check for Cartograph, run specific cartograph commands against a repository and task, prefer bundled OpenProse templates if present, and fall back to repo-surveyor. It does not instruct broad system scans or exfiltration. Note: it assumes the agent has access to the target repo (filesystem or network) and to Cartograph MCP endpoints if used.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing will be written to disk or fetched during install via the skill registry.
- Credentials
- okThe skill declares no environment variables or credentials. One caveat: Cartograph MCP or certain 'provider' flags for wiki may require service endpoints/credentials in practice, but the skill does not request them — this is a reasonable minimal declaration for an instruction-only wrapper.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request elevated or persistent presence or attempt to modify other skills or system-wide settings.