Back to skill
Skillv3.0.0
ClawScan security
Exercise Form · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 12:09 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a small, local Bash-based exercise guide that only creates a per-user data directory and prints canned guidance; its requirements and behavior match its description.
- Guidance
- This skill appears coherent and low-risk: it runs a small bundled Bash script that prints exercise guidance and creates a per-user data directory. Before installing, verify you trust the source (bytesagain.com) if that matters to you, and note that the script runs locally (no network calls or secret access). You can open scripts/script.sh yourself — it’s short and readable — to confirm there are no modifications you dislike. One minor note: a few echo lines use single quotes with $2 (so the literal string "$2" may appear instead of the argument), which is a correctness bug rather than a security issue.
Review Dimensions
- Purpose & Capability
- okName/description match the included script: commands provide exercise guidance, searches, warmups, routines and tips. No unrelated binaries, env vars, or cloud credentials are requested.
- Instruction Scope
- okSKILL.md directs the agent to run the bundled scripts/script.sh with specific commands. The script only reads its CLI args and prints canned responses; it does not read other system files, access network endpoints, or transmit data externally. It documents data storage location (~/.local/share/exercise-form), which the script creates but does not populate.
- Install Mechanism
- okNo install spec and no external downloads; the skill is instruction + a single local shell script. No extraction or remote code fetched at runtime.
- Credentials
- okNo environment variables, credentials, or config paths are requested beyond the user home directory for a local data directory. This is proportional to the skill's purpose.
- Persistence & Privilege
- okalways is false and the skill does not request elevated privileges. It only creates a per-user data directory (~/.local/share/exercise-form), which is reasonable for storing user data.