Back to skill
Skillv2.0.0
ClawScan security
Coze Studio · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 7:08 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions are coherent with a simple local CLI helper for 'Coze Studio' — it only reads/writes a user-local data directory and contains no network calls or credential requests.
- Guidance
- This skill appears to be a small, local CLI utility that stores data under COZE_STUDIO_DIR (default ~/.local/share/coze-studio). Before installing or running: (1) review the scripts yourself to confirm behavior (they only write logs and a simple DB file), (2) avoid pointing COZE_STUDIO_DIR at sensitive system paths, and (3) run in a sandbox or non-critical account if you want to be cautious. Note that the SKILL.md advertises a larger platform but the shipped scripts are basic placeholders — functionality is limited rather than risky.
Review Dimensions
- Purpose & Capability
- okThe name/description claim an AI-agent dev platform; the included scripts implement a small local CLI with commands like run, status, add, list and reference COZE_STUDIO_DIR. The requested artifacts (no credentials, no unusual binaries) match a lightweight CLI helper. The only minor mismatch is that the SKILL.md advertises broader functionality but the scripts are simple placeholders/utility functions rather than a full platform — this is a functionality gap, not a security inconsistency.
- Instruction Scope
- okSKILL.md instructs to run 'coze-studio <command>'; it documents COZE_STUDIO_DIR. The bundled scripts only create a data directory, append to logs/data files, and echo output. They do not read unrelated system files, call external endpoints, or access secrets. They do read standard env vars (XDG_DATA_HOME, HOME) which is expected.
- Install Mechanism
- okNo install spec is provided (instruction-only). The included shell scripts are small and plain text; there are no downloads, package installs, or archive extraction steps. Low-risk from an install perspective.
- Credentials
- okThe skill requires no credentials or special environment variables. It optionally respects COZE_STUDIO_DIR (and standard XDG_DATA_HOME/HOME) to set its data directory, which is reasonable for a local CLI. No secrets or unrelated service tokens are requested.
- Persistence & Privilege
- okThe skill is not 'always: true', does not request system-wide config changes, and does not modify other skills. It creates and writes files only under the user-specified (or default) data directory.