Back to skill
Skillv2.0.0
ClawScan security
Roast Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:48 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions are consistent with a local roast-generator utility: it produces canned roasts, logs usage to a local data directory, and does not request credentials or network access.
- Guidance
- This skill appears coherent and local-only: it generates canned roasts and keeps a small data/log directory under your home by default. Before installing or running it, consider: 1) where you want its data stored (set ROAST_GENERATOR_DIR if you want a different location), 2) whether you are comfortable with a couple of plain-text files (data.log, history.log) being created, and 3) that SKILL.md references a homepage/source (bytesagain.com / GitHub) while the registry listed source as unknown — if provenance matters, verify the upstream project. There are no network calls or credential requests in the provided files.
Review Dimensions
- Purpose & Capability
- okThe name/description (roast generator) matches the included scripts: roast.sh generates roasts and script.sh provides a small CLI with run/list/add/export functionality. No unrelated capabilities (cloud access, crypto, etc.) are requested.
- Instruction Scope
- noteSKILL.md simply tells the user to run 'roast-generator' and describes outputs. It does not instruct reading system files or exfiltrating data. Minor scope note: the runtime scripts create and write logs and a data file under a user data directory (default: ${XDG_DATA_HOME:-$HOME/.local/share}/roast-generator), which is reasonable for a CLI but is persistent state the user should be aware of.
- Install Mechanism
- okThere is no install spec (instruction-only) and the included scripts are simple shell/python code. No downloads or external package installs are performed, so installation risk is low. SKILL.md references a command name ('roast-generator') but does not provide an explicit install step — the user should ensure the scripts are placed on PATH if they expect that command to work.
- Credentials
- okThe skill requires no environment variables or credentials. It accepts an optional ROAST_GENERATOR_DIR to change the data directory, which is proportionate to its purpose.
- Persistence & Privilege
- noteThe skill is not force-included (always:false) and runs on demand. However, the CLI writes persistent files (data.log and history.log) to a per-user data directory by default; this is expected behavior but worth noting if you do not want local logs.