Back to skill
Skillv3.0.1
ClawScan security
Ring Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 1:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an internally consistent reference/help skill that only prints static documentation; it requests no credentials, makes no network calls, and contains a simple local shell script that outputs the same content.
- Guidance
- This skill appears low-risk: it only prints static reference documentation and asks for no credentials or network access. Before installing, you may want to: (1) review the included SKILL.md and scripts/script.sh yourself (they are short and readable), (2) be aware the agent will run the bundled shell script when invoked — if you prefer to avoid executing shell code, decline or sandbox the skill, and (3) note minor editorial inconsistencies (the script's internal VERSION is 3.0.0 while registry lists 3.0.1, and the cheatsheet mentions a 'troubleshooting' command while the script provides 'debugging'); these are quality issues but not security concerns.
Review Dimensions
- Purpose & Capability
- okName/description (reference docs for 'Ring Security') align with what is included: SKILL.md plus a shell script that prints reference text. There are no unexplained environment variables, binaries, or external services required.
- Instruction Scope
- okSKILL.md explicitly states all commands output plain-text via heredoc with no external API calls. The bundled scripts/script.sh contains only functions that emit static documentation and a simple command dispatcher; it does not read arbitrary files, access environment variables, or make network calls.
- Install Mechanism
- okNo install spec is provided (instruction-only style). A script file is bundled, but it is a non-obfuscated, static bash script that only emits documentation. There are no downloads or extract/install steps that would write or execute remote code.
- Credentials
- okThe skill declares no required env vars, credentials, or config paths and the runtime script does not attempt to access secrets. Requested privileges are minimal and proportionate to a local reference tool.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system-wide configuration. It has no persistence requirements beyond the bundled files.