Back to skill
Skillv2.0.0
ClawScan security
Hr Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and behavior are consistent with an HR template/toolkit: it generates HR content and stores local data/logs but does not request credentials or reach out to external endpoints.
- Guidance
- This skill appears to do what it says: generate HR templates and maintain small local logs. Before installing or running, review the two included scripts (they are plain bash) and decide whether you are comfortable with the tool creating files under $HOME/.local/share/hr-toolkit (or a path you set via HR_TOOLKIT_DIR). Because HR data is sensitive, consider pointing HR_TOOLKIT_DIR to a secure location, limit filesystem permissions, and avoid feeding real personal data unless you trust the environment. If you want to be extra cautious, run the scripts in an isolated environment (container or VM) or inspect them line-by-line — they do not perform network calls or request credentials.
Review Dimensions
- Purpose & Capability
- okThe name/description (HR toolkit) matches the delivered artifacts: SKILL.md provides HR commands and the scripts generate JD/onboarding/offboarding/policies/templates. Included scripts implement those functions and a small local data/log facility — all coherent with an HR helper.
- Instruction Scope
- okRuntime instructions and the hr.sh script are limited to generating HR documents, checklists, templates and printing prompts. They do not instruct reading arbitrary system files, accessing network endpoints, or exfiltrating data.
- Install Mechanism
- okThere is no install spec (instruction-only), which is low-risk. Two bash scripts are included; they are plain text, human-readable, and do not download or execute remote code.
- Credentials
- noteNo credentials or required env vars are declared. The helper writes data to a local directory (HR_TOOLKIT_DIR or $XDG_DATA_HOME/$HOME/.local/share/hr-toolkit) and logs history; this is reasonable for a local tool but means user/HR data may be stored on disk — consider where that directory is and its filesystem permissions.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide changes or modify other skills. It will create a per-user data directory and log files, which is normal for this type of utility.