Skillv1.0.0

ClawScan security

skill-navigator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 2:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a dashboard/inventory purpose: it scans local SKILL.md files under /home/ubuntu/skills, heuristically maps capabilities, and renders a template—no network requests, no extra credentials, and no elevated persistence requested.
Guidance: This skill appears to do what it says: scan local SKILL.md files and render a dashboard. Before installing or running it, check two things: (1) verify that your runtime actually stores skills at /home/ubuntu/skills or edit the script/commands to the correct path; (2) ensure none of your existing SKILL.md files contain secrets or sensitive config (they usually shouldn't), because the dashboard will read and surface those files' metadata. If you want extra caution, run the script in a sandboxed environment first and inspect its output before giving it broad access to your production skills directory.

Review Dimensions

Purpose & Capability: okThe skill claims to build a visual dashboard of installed skills and its script scans SKILL.md files to extract metadata and compute capability scores. Reading skill metadata under a local skills directory is coherent with the stated purpose. Minor inconsistency: SKILL.md frontmatter name is 'skill-dashboard-visualizer' while the registry slug is 'skill-navigator'—this is likely a naming mismatch but does not change behavior.
Instruction Scope: noteInstructions explicitly tell the agent to run scripts that read SKILL.md files under /home/ubuntu/skills. That is within the expected scope for an inventory/dashboard tool. Note: the SKILL.md uses an absolute path (/home/ubuntu/skills/skill-dashboard-visualizer/...), which assumes where skills are installed; if the runtime stores skills elsewhere the provided commands may fail. Also the dashboard will surface metadata from other skills' SKILL.md files—if those files accidentally contain secrets, those will be read and included in the generated output.
Install Mechanism: okNo install spec and no network/downloads are present. The skill is instruction+script-only and uses only standard Python libraries. This is low-risk from an installation standpoint.
Credentials: okThe skill does not request environment variables, credentials, or config paths. Its access is limited to reading files in /home/ubuntu/skills, which matches the declared purpose.
Persistence & Privilege: okalways is false and model invocation is allowed (default). The skill does not request permanent presence or modify other skills' configurations. No elevated privileges are requested.