Back to skill
Skillv2.0.1
ClawScan security
Draw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:42 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with a simple local CLI journaling tool for design work; it stores logs under the user's home and does not request credentials or network access.
- Guidance
- This skill is coherent and appears to do exactly what it claims: a local journaling/asset-logging CLI that writes files to ~/.local/share/draw. Before installing, be aware that: (1) it will create and append logs in that directory (history.log and per-command .log files) and export files (export.json/csv/txt); (2) anything you pass as input is stored verbatim — avoid sending secrets or sensitive information to it; (3) if you share the machine or back up home directories, these logs may be included. If you’re comfortable with those behaviors, the skill is reasonable to install; otherwise run it in an isolated account/container or inspect/remove the data directory after use.
Review Dimensions
- Purpose & Capability
- okName/description (SVG/diagram/design journaling) align with the included script and SKILL.md: commands log palettes, previews, mixes, exports, and produce export files. Nothing requested (no env vars, no binaries) is out of scope.
- Instruction Scope
- okSKILL.md and the script only instruct reading/writing files under ~/.local/share/draw, printing to stdout, and using standard POSIX utilities. There are no instructions to read unrelated system configs, credentials, or to transmit data externally.
- Install Mechanism
- okNo install spec; the skill is instruction + a single bash script. There are no downloads, package installs, or external release URLs — low-risk delivery mechanism.
- Credentials
- okThe skill declares no required environment variables or credentials. The script uses HOME implicitly to construct the data dir, which is expected for a user-facing CLI and proportionate to its purpose.
- Persistence & Privilege
- okalways is false and the skill does not request elevated privileges. It persists data only under ~/.local/share/draw (its own data directory), which is a normal level of persistence for a CLI tool.