Skillv2.0.0

ClawScan security

Thesis Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 6:59 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it says (local thesis-writing templates and helpers); it contains two bash scripts that generate templates and store simple local logs/data but does not request credentials or reach out to remote servers.
Guidance: This skill appears coherent and implements local thesis-writing helpers via bash scripts. Before installing/running: 1) review the bundled scripts (scripts/thesis.sh and scripts/script.sh) if you want to confirm behavior; 2) be aware the tool writes data to ~/.local/share/thesis-helper by default (history.log, data.log, config.json path referenced). Avoid passing highly sensitive text you don't want persisted, or set THESIS_HELPER_DIR to an alternate sandbox directory; 3) there are no network calls or credential requests in the provided code, so remote exfiltration is not apparent from the files; 4) if you allow the agent to invoke skills autonomously, note it could run these scripts and thus create/modify the local files—restrict autonomous use or run in a sandbox if that is a concern.

Purpose & Capability: okName/description match the actual behavior: the package provides CLI utilities and templates for outlines, abstracts, citations, defense prep, and checklists. The included scripts implement those features and do not require unrelated credentials or binaries.
Instruction Scope: noteSKILL.md instructs use of the local CLI and help commands only. The runtime scripts are limited to generating text templates and checklist output. They do read from/write to a local data directory (default: ${XDG_DATA_HOME:-$HOME/.local/share}/thesis-helper) and append to data.log and history.log, so user inputs passed to add/export commands will be persisted locally.
Install Mechanism: okNo install spec or network downloads; all code is bundled with the skill. No external packages or remote URLs are fetched during install.
Credentials: noteThe skill requires no environment variables or secrets. It honors THESIS_HELPER_DIR/XDG_DATA_HOME/HOME for data location. However, it does create and write files under the user's data directory (history.log, data.log, config.json path referenced), which is proportionate for a CLI tool but can persist any sensitive input given to the tool.
Persistence & Privilege: notealways:false and no system-wide config modifications. The scripts create and write files in a per-user data directory (persistent storage). This is expected behavior but means repeated runs may retain previously entered content.