Back to skill
Skillv3.0.0
ClawScan security
Deadlink · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 10:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match the stated purpose (a link checker), request only normal network access and curl, and show no signs of hidden exfiltration or unrelated privileges.
- Guidance
- This skill appears to do exactly what it says: check URLs and produce local reports. Before installing, ensure curl is available on the host (SKILL.md requires it despite registry metadata not listing binaries). Be aware that running scans or site crawls will generate outgoing HTTP(S) requests to every target URL (respect robots/terms of service and avoid aggressive scans against sites you don't own). The User-Agent string includes bytesagain.com but that is only an identifier — the script does not contact that domain. If you plan to scan large sites, consider rate-limiting and the legal/ethical implications; run it in an environment where outgoing network traffic is acceptable.
Review Dimensions
- Purpose & Capability
- noteThe name/description, SKILL.md, and the included bash script are consistent: they implement URL checking, file scanning, crawling, and report generation. Minor metadata mismatch: the registry metadata lists no required binaries, but SKILL.md and the script require curl (and use common shell tools like grep/sed/sort). Asking for curl is reasonable for this purpose.
- Instruction Scope
- okRuntime instructions and the script only fetch URLs (using curl), extract links from provided files or fetched pages, and write plain-text reports to the current directory. The script follows redirects, applies a 10s timeout, and uses a recognizable User-Agent string; it does not read unrelated files, environment variables, or send data to third-party endpoints beyond the URLs being checked.
- Install Mechanism
- okNo install spec — instruction-only plus an included bash script. No downloads or package installs are performed by the skill itself, so there is no high-risk install mechanism.
- Credentials
- okThe skill declares no environment variables or credentials and the code does not access secrets or config paths. Network access is required and justified by the stated functionality.
- Persistence & Privilege
- okThe skill is not marked always:true and does not attempt to modify other skills or system-wide settings. It writes report files only to the current working directory, which is proportional to its purpose.