Back to skill
Skillv1.0.0
ClawScan security
Nm Tome Synthesize · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 2:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only synthesis helper that is internally consistent with its stated purpose and requests no extra permissions, installs, or credentials.
- Guidance
- This skill is coherent and low-risk in isolation: it merely instructs the agent to run internal 'tome' synthesis functions and requires no installs or credentials. Before using, ensure you understand which research agents/channels will feed data into this synthesis (it will merge whatever findings those agents produced), and avoid running it on sessions that may contain sensitive secrets you don't want aggregated. Also note the skill depends on the surrounding 'tome' research workflow—if that plugin or session data isn't present, the skill won't be able to do anything.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md describes merging, deduplicating, ranking, and formatting research findings and the runtime instructions call corresponding tome.synthesis and tome.output functions. There are no unrelated env vars, binaries, or external installs requested.
- Instruction Scope
- okInstructions are narrowly scoped to invoking internal synthesis steps (merge_findings, rank_findings, group_by_theme, format_report). The skill does not ask to read files, access environment variables, or transmit data to unexpected endpoints. It does assume research session data from other 'tome' agents/plugins is available.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). Nothing will be written to disk or downloaded during installation.
- Credentials
- okNo environment variables, credentials, or config paths are required. The lack of requested secrets is proportionate to the documented functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. The skill does not request persistent system presence or modify other skills' configs.