Skillv2.0.0

ClawScan security

Nda Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 6:59 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions align with its stated purpose: it is a local NDA generator implemented as shell scripts that write output and simple logs to a user data directory; it does not request credentials or make network calls.
Guidance: This skill appears to be what it claims: a local NDA generator implemented in bash. Before installing or running it: (1) be aware that generated NDA text and command history are written to a data directory (default: $NDA_GENERATOR_DIR or $XDG_DATA_HOME/$HOME/.local/share/nda-generator) — these files may contain sensitive information, so pick a secure location and check file permissions; (2) review the scripts yourself (they are small and included) if you have any doubt; (3) there are no network calls or credential requests in the code, but treat generated legal text as reference only (the script already includes a disclaimer) and consult a lawyer before use; (4) do not run as root to avoid broad filesystem writes. If you want higher assurance, verify the upstream source (homepage/source repo) before use.

Purpose & Capability: okName/description (NDA generator) match the shipped scripts: scripts/nda.sh generates mutual/unilateral/employee NDAs and scripts/script.sh provides a simple CLI/data storage helper. No unrelated capabilities (cloud, git, etc.) are requested.
Instruction Scope: noteSKILL.md instructs use of the CLI and redirecting output to a file. The scripts do not read system-wide secrets or other users' files, but they do write/read under a per-user data directory (by default $XDG_DATA_HOME or $HOME/.local/share/nda-generator). Generated NDA content and a history log will be stored locally, which may include sensitive information if you supply it.
Install Mechanism: okNo install spec / no external downloads. This is an instruction-only skill with included shell scripts, so nothing is fetched from the network during install.
Credentials: okThe scripts optionally honor NDA_GENERATOR_DIR and XDG_DATA_HOME/HOME for data location, which is appropriate. The skill declares no required environment variables or credentials and does not attempt to access unrelated config or secrets.
Persistence & Privilege: noteThe tool creates a per-user data directory and writes data.log and history.log under it, which is expected for a CLI tool that saves entries. This is persistent storage of user-provided content; consider where those files are placed and who can read them.