Back to skill
Skillv6.0.0
ClawScan security
License Picker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 23, 2026, 12:45 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it claims to be an offline reference for open-source licensing and the provided materials (SKILL.md and script.sh) contain only static reference text with no network calls or credential requirements.
- Guidance
- This skill appears safe and coherent for use as an offline licensing reference. Before installing or enabling it for autonomous agents, (1) inspect the full scripts/script.sh file in the repository (the provided listing shows '[truncated]') to confirm there are no added network calls or side effects, (2) remember this is reference material, not legal advice—consult counsel for binding interpretations, and (3) avoid granting persistent/always-on privileges unless you review future updates for behavioral changes (network calls, credential reads, or subprocess execution).
Review Dimensions
- Purpose & Capability
- okThe name/description (open-source license reference) matches what is included: no required binaries, no env vars, and the script emits documentation text. Nothing requested appears unrelated to a licensing reference tool.
- Instruction Scope
- okSKILL.md explicitly says outputs are plain-text heredocs with no external API calls. The included script defines cmd_* functions that print static heredocs; no commands that read credentials, call network endpoints, or access unrelated system files were found in the provided content. (Note: the provided script listing ends with a '[truncated]' marker — review the complete file in the repository to confirm there are no additional behaviors.)
- Install Mechanism
- okThere is no install spec (instruction-only behavior). A single shell script is included but no downloads, package installs, or extract operations are present.
- Credentials
- okThe skill requires no environment variables or credentials and the script does not reference any env vars or secret-like names. The absence of requested secrets is proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request elevated or persistent platform privileges.