Back to skill
Skillv1.0.0
ClawScan security
Prompt Quality Checklist · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 11:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only prompt-quality checklist that is internally consistent with its stated purpose and requests no credentials or installs.
- Guidance
- This is an instruction-only checklist and appears coherent and low risk. Before installing: consider how you or your agent will use it — if you let the agent automatically validate that referenced asset files exist, that will require file- or network-access permissions outside the skill itself. Also be aware that the checklist enforces strict PASS/FAIL rules (it may block prompts until fixed) and includes a convention for asset paths — ensure those paths point only to non-sensitive assets and that any automation using the checklist has limited permissions. If you plan to augment the skill to auto‑fetch or validate assets, review those additions for file/network access and credential needs.
Review Dimensions
- Purpose & Capability
- okName/description (prompt quality checklist for image/video generation) matches the content: a 10‑point audit and examples. It does not request unrelated capabilities, binaries, or credentials.
- Instruction Scope
- noteSKILL.md contains only reviewer guidance and examples. It asks authors to include asset paths (e.g., char_ref_001.png) in prompts but does not instruct the agent to read system files, call external endpoints, or retrieve those assets itself. If a user or agent implementation extends the skill to validate existence of asset files, that would require file or network access — the skill itself does not mandate that.
- Install Mechanism
- okNo install spec and no code files — lowest-risk, instruction-only skill. Nothing is downloaded or written to disk by the skill as provided.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The asset-path examples are purely format guidance and do not imply secret access requests.
- Persistence & Privilege
- okalways is false and disable-model-invocation is false (normal). The skill does not request persistent or elevated privileges and does not modify other skills or global agent configuration.