Skillv1.0.0

ClawScan security

Shaping & Breadboarding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only Shape Up / breadboarding methodology guide and its requirements, files, and instructions are consistent with that purpose.
Guidance: This skill is a plain methodology pack — there are no installs or credentials requested and its content matches the Shape Up/breadboarding purpose. Things to consider before installing or using it: (1) the instructions insist on including verbatim source material and full tables without summarization — avoid pasting secrets, credentials, or sensitive logs into sessions you'll feed to the skill; (2) the guidance suggests creating files (spike-*.md, shaping docs). If your agent runtime can write files, be aware those files may persist in the agent workspace; check workspace permissions and clean up any sensitive artifacts; (3) the strict 'show full tables / never summarize' rule can lead to very large outputs that might inadvertently include private data — review outputs before sharing externally; (4) if you are concerned about autonomous runs, consider keeping the skill user-invocable only (it already is) or disabling autonomous invocation at the agent/platform level. Overall the package is internally coherent and appropriate for its stated purpose.

Purpose & Capability: okName and description match the provided SKILL.md and reference docs. No binaries, env vars, config paths, or external services are requested that would be unrelated to a shaping/breadboarding methodology.
Instruction Scope: noteInstructions are detailed and prescriptive about how to run shaping sessions (tables, fit checks, spikes, file names). They ask the agent to create files (e.g., spike-[topic].md) and to include verbatim 'Source' content and full tables without summarizing. This is coherent for the methodology but raises a privacy/data-disclosure consideration: the agent may be instructed to echo user-provided text verbatim and persist it to files if the agent implementation permits file writes.
Install Mechanism: okInstruction-only skill with no install spec or code. No downloads, packages, or binaries are required.
Credentials: okNo environment variables, credentials, or config paths are requested. The declared requirements are appropriately minimal for the stated purpose.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated privileges. It contains guidance to create and maintain shaping documents, which is normal for a documentation/process skill. If the agent platform allows writing files, the skill's instructions assume writing documents but do not attempt to modify other skills or system-wide settings.