Back to skill
Skillv2.0.0
ClawScan security
Boilerplates · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 7:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are consistent with a local boilerplate/template helper: it reads/writes a small data directory, has no network calls or secret requirements, and its behavior matches the description.
- Guidance
- This skill appears coherent and low-risk: it runs local shell scripts that store data under a per-user data directory and does not request secrets or access the network. If you install or run it, review or run the scripts in a sandbox first if you want to verify behavior, and optionally set BOILERPLATES_DIR to control where files are written.
Review Dimensions
- Purpose & Capability
- okName/description promise a collection of templates and a small CLI. The included scripts implement a simple local utility (help, run, list, add, search, etc.) and reference the stated upstream; nothing requires unrelated capabilities.
- Instruction Scope
- okSKILL.md only documents invoking the tool (help, run). The scripts operate on local files and do not instruct the agent to read unrelated system files, call external endpoints, or exfiltrate data.
- Install Mechanism
- okNo install spec — instruction-only. The provided shell scripts are small, readable, and do not perform downloads or execute fetched code.
- Credentials
- okThe skill declares no required env vars or credentials. The scripts honor an optional BOILERPLATES_DIR and standard XDG_DATA_HOME/HOME fallbacks — reasonable for a local data store.
- Persistence & Privilege
- noteThe scripts create and write files under a data directory (default: $XDG_DATA_HOME or $HOME/.local/share/boilerplates) and append to history/log files. This is expected for a local utility but means it will persist user data to disk.