Skillv2.0.0

ClawScan security

Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 1:44 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with a local placeholder-data generator: it reads/writes files under the user's home, has no network calls or credential requirements, and its footprint matches the stated purpose.
Guidance: This skill appears to do what it says: a local generator that stores entries under ~/.local/share/generator and exports them. Before installing or running: (1) inspect the script if you want the data directory elsewhere — SKILL.md mentions GENERATOR_DIR but the script does not honor it; (2) avoid entering any secrets or sensitive data when using the tool since inputs are logged in plain text; (3) if you prefer, run the script in a sandbox/container or modify DATA_DIR in the script to a location you control; and (4) no network or credential access is requested, so the main risk is local data persistence rather than remote exfiltration.

Purpose & Capability: okName/description match the included script: a local utility that creates and manages placeholder entries and exports. There are no unexpected external services, cloud credentials, or unrelated binaries required.
Instruction Scope: noteSKILL.md describes running a 'generator' command and setting GENERATOR_DIR; the shipped script implements many generator subcommands and writes/reads logs under $HOME/.local/share/generator. The script persists all user inputs to plain-text *.log and history.log files (potentially containing sensitive input). Also SKILL.md suggests configurable GENERATOR_DIR but the script as provided doesn't read that environment variable (inconsistency).
Install Mechanism: okNo install spec or external downloads. The skill is instruction/code-only; the provided shell script will run locally. No archive downloads or external package installs are requested.
Credentials: noteThe skill requests no credentials or env vars. It does use the HOME directory (creates ~/.local/share/generator) and persists inputs there; this file I/O is proportional to a local fixture generator but may expose anything the user types if they supply secrets as inputs.
Persistence & Privilege: okalways is false and the skill does not modify other skills or global agent configs. It stores its own data under the user's home directory only.