v1.0.0

Jq Json Processor

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:55 AM.

Analysis

This skill is a straightforward jq helper with disclosed, purpose-aligned command examples and no evidence of hidden behavior.

GuidanceThis appears safe to install if you want jq help. Be careful with examples that write back to files, and install jq from a trusted package source.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

jq '.version = "2.0"' package.json > package.json.tmp && mv package.json.tmp package.json

This example shows jq being combined with shell redirection and mv to overwrite a local project file. It is clearly documented and purpose-aligned, but users should notice that running similar commands can modify files.

User impactIf a user or agent applies these examples to important files, local JSON or project files could be changed.

RecommendationReview file-modifying jq commands before running them, use temporary outputs or backups for important files, and confirm the target path is correct.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

install spec

brew | formula: jq | creates binaries: jq

The skill depends on installing the external jq binary via a package manager. This is expected for a jq skill and no suspicious installer behavior is shown.

User impactThe skill relies on the locally installed jq package being trustworthy and available.

RecommendationInstall jq from a trusted package manager or official source and keep it updated.