Skillv1.0.1

ClawScan security

Devvit Publishing Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and required actions are coherent with an auditor for Devvit/Reddit publishing: it runs local devvit/ts checks and scans project files and explicitly asks for permission before making changes.
Guidance: This skill appears to be what it says: a local pre-publish auditor that runs npx devvit commands, tsc, and scans files in your project. Before granting permission, consider: (1) the agent will run local commands (npx/tsc) which execute code from your environment — ensure you trust the Devvit CLI on your machine; (2) the auditor will read project files (devvit.json, /src, /assets, CSS) — do not allow scans if these folders contain secrets you don't want inspected; (3) the skill suggests advising a global npm update but explicitly warns not to run global installs without your consent — prefer performing installations yourself; (4) the skill metadata lacks a homepage or publisher description (source unknown), so if you require provenance, verify the author or use an audited, official Devvit tool instead.

Purpose & Capability: okName and runtime instructions align: the skill is a pre-publish auditor that runs devvit CLI checks, type-checks, and scans project files for compliance. Nothing requested (no env vars, no external services) appears unrelated to that purpose.
Instruction Scope: okSKILL.md and instructions.txt limit activity to local project checks (devvit CLI commands, tsc, scanning devvit.json, /src, /assets, and CSS). The instructions explicitly require user permission before running commands or broad directory scans, and they do not instruct exfiltration or contacting unexpected external endpoints.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. The only commands suggested use npx or user-run npm installs, which is appropriate for this use case.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The checks it proposes (devvit whoami/version, scanning devvit.json and source) are proportional to auditing a Devvit app.
Persistence & Privilege: okThe skill does not request permanent presence or elevated agent privileges (always is false). It does not instruct modifying other skills or system-wide config; global installs are explicitly marked as requiring user confirmation.