Back to skill
Skillv3.0.1
ClawScan security
Seedgen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 10:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says — local random/seed generation using /dev/urandom and standard shell tools; nothing requests credentials or makes external network calls — but some generators use non-cryptographic RNGs and may not be suitable for high-security uses.
- Guidance
- This skill appears internally consistent and local-only: it generates random data from /dev/urandom and shell utilities and does not exfiltrate secrets or require credentials. Before relying on it for security-sensitive uses, note that some functions (cmd_int uses bash RANDOM and cmd_float uses awk rand()) are not cryptographically secure; the UUID and password routines are custom and should be validated for your threat model. If you need cryptographic-grade randomness for keys, salts, or tokens, prefer tools/libraries explicitly documented as cryptographically secure (e.g., use /dev/urandom directly, openssl rand, or language crypto libs). Otherwise, this skill is safe to install and run.
Review Dimensions
- Purpose & Capability
- okName/description match the actual code and instructions: the tool generates strings, hex, bytes, ints, floats, UUIDs, passwords and batches. Required resources (/dev/urandom and common coreutils like od, base64, shuf, awk) are proportionate to the stated purpose.
- Instruction Scope
- noteSKILL.md and the script are scoped to local generation using /dev/urandom and standard utilities. No file reads, network calls, or access to unrelated environment variables occur. Note: a few commands use non-cryptographic RNGs (bash RANDOM for cmd_int and awk rand() for cmd_float) — this may contradict the expectation of 'strong' or cryptographically secure seeds; cmd_uuid and cmd_password implementations are custom and should be validated if you need cryptographic guarantees.
- Install Mechanism
- okNo install spec or external downloads; this is instruction-only with an included shell script. Nothing is fetched from third-party URLs or written to arbitrary locations during install.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. It only requires standard system resources (/dev/urandom and common utilities), which is appropriate for its function.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify system or other-skill configuration. It does not request persistent privileges or implicit always-on presence.