Back to skill
Skillv0.0.1
ClawScan security
Elite CLI Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 6:28 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources and runtime instructions are coherent with its stated purpose (a guide to modern CLI utilities); no disproportionate permissions, installs, or hidden endpoints are present.
- Guidance
- This skill is essentially a curated cheat‑sheet for modern CLI utilities and is internally consistent. Before running any example: (1) verify the named binary exists on your system and note Debian/Ubuntu name differences (fdfind/batcat); (2) never run destructive examples (rm, in-place edits) on important data — try them in a disposable repo or container first; (3) be aware some examples fetch remote content with curl (network activity) — review the URL before executing; and (4) if you plan to let an agent execute these commands autonomously, restrict it from running destructive commands or accessing sensitive directories.
Review Dimensions
- Purpose & Capability
- okName/description describe recommending and demonstrating modern CLI tools; the SKILL.md and reference docs only contain usage examples for those tools and do not request unrelated credentials, binaries, or system access.
- Instruction Scope
- noteInstructions and examples stay within the stated domain (searching, viewing, editing files, JSON/YAML processing). A few examples show destructive operations (e.g., fdfind -X rm, delete examples, in-place yq/sd modifications) and examples that fetch remote URLs (curl), which is expected for a CLI cookbook but means users/agents must not execute examples blindly.
- Install Mechanism
- okNo install spec or downloaded code — this is instruction-only. Nothing is written to disk by the skill itself.
- Credentials
- okThe skill declares no environment variables, no primary credential, and references no external tokens or config paths. Example usage of tools that can consume env vars (yq strenv) is documented but not required by the skill.
- Persistence & Privilege
- okSkill is not always:true, does not request persistent system privileges, and is instruction-only. Autonomous invocation is allowed by platform default but not combined with any elevated permissions here.