Back to skill
Skillv3.0.2
ClawScan security
Yamlcheck · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 11:02 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (YAML validation, linting, YAML→JSON conversion) and requests no credentials, but there are minor inconsistencies and a truncated file listing that reduce confidence.
- Guidance
- This skill is coherent with its description and does not ask for secrets. Before installing: (1) ensure python3 is available in the environment (SKILL.md and the script require it) — the registry metadata omits this requirement and should be fixed; (2) consider installing PyYAML for full parsing if you need robust YAML support; (3) review the full scripts/script.sh contents locally — the manifest preview here was truncated, so verify the file's end to ensure there are no unexpected behaviors; (4) run the tool on non-sensitive sample files first or in an isolated environment if you want extra caution.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md and included script clearly require python3 (and optionally PyYAML) which aligns with the declared purpose. However, the registry metadata lists no required binaries while the runtime instructions and script call python3 — that metadata omission is an inconsistency that should be corrected.
- Instruction Scope
- okRuntime instructions and the script stay within the stated scope: they read a user-provided YAML file, run local checks or call PyYAML, and emit lint/validation/JSON output. There are no network calls, credential access, or instructions to read unrelated system files in the provided content.
- Install Mechanism
- okNo install spec is provided (instruction-only), which is lower risk. A script file is included and will be executed locally; the install path is not writing arbitrary remote code. There are no downloads or external installers in the manifest.
- Credentials
- okThe skill requests no environment variables or credentials. The only runtime dependency is python3 (and optionally the PyYAML library) which is proportionate to a YAML toolkit.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated system privileges. It does not modify other skills or global agent settings in the provided materials.