Skillv4.0.2

ClawScan security

Credential Tester · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 24, 2026, 1:13 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an offline reference tool whose files and runtime instructions match its stated purpose and do not request credentials, network access, or unusual privileges.
Guidance: This skill appears to be a simple offline reference: it prints documentation and does not use network calls or credentials. Before installing, you can inspect scripts/script.sh yourself (it is short and readable) and verify you trust the GitHub/source URL. If you permit the agent to invoke skills, note that running the skill will execute that script; since it only outputs static text, risk is low. Also be aware of the minor version string inconsistencies in metadata (script VERSION vs registry version) — likely benign but worth noting if strict version tracking matters.

Purpose & Capability: okThe name/description claim a reference tool for 'Credential Tester' and the included SKILL.md plus scripts/script.sh only produce local plaintext documentation; there are no unrelated credential or cloud requirements.
Instruction Scope: okSKILL.md explicitly states no external API calls or credentials are required and the runtime script only prints heredoc documentation, does not read system files, environment variables, or send network requests.
Install Mechanism: okThere is no install spec (instruction-only style). The repository includes a harmless bash script that is not downloaded from an external URL and nothing is written to disk by an installer.
Credentials: okNo required environment variables, no primary credential, and the script does not access env vars or secrets; the requested access is minimal and proportional to a documentation/reference tool.
Persistence & Privilege: okThe skill is not marked always:true, does not modify other skills or system-wide configuration, and only runs when invoked by the user/agent.