Back to skill
Skillv1.0.1
ClawScan security
ClawCoach Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 3:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and actions (collect local profile data, calculate BMR, create ~/.clawcoach JSON files) match its stated one-time setup purpose and do not ask for unrelated credentials or installs.
- Guidance
- This skill appears coherent and does what it says, but consider these practical points before installing: - Privacy: The skill stores personal health data in plaintext JSON at ~/.clawcoach/. If this data is sensitive to you, consider whether you want it encrypted, protected with stricter filesystem permissions, or stored elsewhere. - File permissions and backups: Ensure the agent/user account that runs the skill is allowed to write to your home directory and review ~/.clawcoach/ after setup. Decide whether and how those files will be backed up (they will be included in any file backups unless excluded). - Handoff expectation: The SKILL.md refers to handing off to a separate 'clawcoach-core' component for future interactions; the registry entry contains only this setup skill. Confirm that the core skill/application is installed and trusted, otherwise future functionality may be missing. - Persona content: One persona (
Review Dimensions
- Purpose & Capability
- noteName/description align with the instructions: it collects user profile/goal info, computes BMR/macros, and writes local JSON files. One minor note: the SKILL.md says to "hand off to clawcoach-core" after setup but this skill declares no dependency or requirement for a separate 'clawcoach-core' component — that handoff assumes another skill/component exists and is not validated in the manifest.
- Instruction Scope
- noteInstructions are narrowly scoped to asking the user for profile and preference data, computing targets, and writing three JSON files under ~/.clawcoach/. It does not instruct reading unrelated system files or contacting external endpoints. Important privacy note in the instructions: all data is stored locally in plaintext JSON — the skill does not mention encrypting the files or restricting permissions.
- Install Mechanism
- okNo install spec or code files are included (instruction-only). This minimizes risk because nothing is downloaded or written beyond the explicit local profile files.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths beyond a dedicated per-user directory (~/.clawcoach/). The requested access is proportional to the described functionality.
- Persistence & Privilege
- okalways is false and the skill is described as a one-time setup that creates its own directory and files. Writing to ~/.clawcoach/ is reasonable for a local setup step; it does not request system-wide privileges or modify other skills' configuration.