Back to skill
Skillv1.0.0
ClawScan security
Shadow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 1:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: a local CLI-based CSS shadow generator that stores presets under ~/.shadow; it does not request unrelated credentials, external installs, or surprising system access.
- Guidance
- This skill appears to do exactly what it says: a local CLI/Python tool that generates and saves CSS shadow presets in ~/.shadow. Before installing or running, review the included scripts/script.sh (already provided) if you don't fully trust the source, and back up or inspect any existing ~/.shadow/data.jsonl because the tool will create/overwrite entries there when saving. Generated preview HTML files should be opened cautiously (they are local files). If you need stronger isolation, run the script in a sandbox/container or inspect the full script output on a test system first.
Review Dimensions
- Purpose & Capability
- okName/description match the included files and behavior: the bundle contains a Bash launcher and a Python core that generate CSS shadow values, presets, previews, exports, and persist records. No unrelated dependencies or credentials are requested.
- Instruction Scope
- okSKILL.md instructs the agent to run scripts/script.sh and documents the CLI surface. The script only reads/writes its own data file (~/.shadow/data.jsonl), builds CSS strings, and writes preview/export files — no reading of unrelated system files or environment variables was observed.
- Install Mechanism
- okNo install spec is present (instruction-only with an included script). The code is included in the package; there are no downloads or extract-from-remote steps that would introduce extra risk.
- Credentials
- okThe skill requires no environment variables or external credentials. It persists user data under ~/.shadow which is reasonable for a CLI tool of this type.
- Persistence & Privilege
- noteThe tool persistently stores records at ~/.shadow/data.jsonl and creates that directory. This is expected behavior for a presets tool but is persistent state in the user's home directory and should be noted by the user.