Skillv1.0.0

ClawScan security

Auto Doc AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 1:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description claims a CLI/tool that parses Python with AST and an LLM, but the package contains no code or install instructions — the instructions reference a /generate-docs binary that doesn't exist in this bundle, which is inconsistent and needs clarification before use.
Guidance: This skill's description and docs describe a CLI (/generate-docs) and reference a GitHub repo, but the published package contains only README and SKILL.md — no code, no installer, and no declared LLM credentials. Before installing or enabling this skill: 1) ask the publisher for the implementation/source or a valid install spec (so you know what will be executed); 2) if you plan to let it run on your codebase, prefer dry-run/preview first and avoid --overwrite until you verify output; 3) confirm whether an external LLM/API key is required and where secrets would be stored; 4) if you don't trust the source, do not run arbitrary binaries or git clones suggested by the README. Clarifying these points would reduce the current uncertainty.

Review Dimensions

Purpose & Capability: noteThe stated purpose (generate Google-style docstrings from Python using AST + LLM) is reasonable and coherent as a concept, but the SKILL.md and README both reference a /generate-docs CLI and a git repo with a binary. The registry entry contains no code files or install spec, so the claimed executable/tool is not actually provided.
Instruction Scope: noteThe runtime instructions tell the agent/user to run /generate-docs against local files or directories (including --overwrite). Operating on local source files is within the stated purpose, but instructions assume a local executable and don't describe how the LLM integration is performed or where any required API keys would come from.
Install Mechanism: concernThere is no install spec in the registry package. README suggests installing from a GitHub repo or via clawhub, implying that additional code/binaries exist upstream — but those are not included here. This mismatch increases uncertainty: the skill may rely on an external binary that won't be present unless the user manually installs it.
Credentials: noteThe skill declares no environment variables or credentials, which is proportional if it intends to use the agent's internal model. However the description explicitly mentions an LLM; if the implementation calls an external LLM API it would normally require API keys (not declared). This absence should be clarified.
Persistence & Privilege: okThe skill is not marked always:true, and is user-invocable. It does not request persistent privileges or system-wide config changes in the provided files.