Skillv1.0.0

ClawScan security

Zustand Patterns · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 1, 2026, 9:59 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that contains coding patterns and examples for Zustand stores; its requirements and instructions are internally consistent with that purpose.
Guidance: This skill is a set of coding patterns and appears coherent with its stated purpose. Before adopting the code in your app: (1) review and implement Electron main-process IPC handlers securely — IPC channels can expose stored data to the main process; (2) avoid persisting secrets or sensitive credentials (use partialize or encryption if needed); (3) review onRehydrate/recovery logic so it does not automatically perform network actions or re-submit tasks without user consent; (4) add unit/integration tests for rehydration and migration paths. Because the skill is instruction-only, installing it does not add binaries, but copying the provided code into your project is where you should do a security review.

Purpose & Capability: okThe name/description (Zustand patterns for React + Electron) matches the SKILL.md content. There are no unexpected env vars, binaries, or install steps requested — everything in the instructions is about store design, slices, persist, recovery, Electron IPC, and testing.
Instruction Scope: noteThe SKILL.md stays on-topic and provides code examples for persist, recoverable tasks, and Electron IPC storage adapters. One area to pay attention to: the examples use ipcRenderer.invoke('store:get'|'store:set'|'store:remove') (i.e., IPC channels). That assumes corresponding main-process handlers exist and are implemented securely; storing or restoring task state on rehydrate may trigger application behavior (like resuming polling) and thus should be reviewed before use. The instructions do not ask to read arbitrary host files or exfiltrate secrets.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill package itself.
Credentials: okNo environment variables, credentials, or config paths are requested. The examples mention storing preferences but explicitly advise not to persist runtime-only state.
Persistence & Privilege: okThe skill does not request persistent/autonomous privileges (always:false) and does not modify other skills or system-wide settings; it only offers coding guidance for application-level persistence patterns.