Back to skill
Skillv2.0.0
ClawScan security
Webpack Config · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose — it generates Webpack/Vite configuration and includes shell scripts that produce config text and small local logs; it does not request credentials or perform network exfiltration in the provided files.
- Guidance
- This skill appears to do what it says: generate Webpack/Vite configs. Before running, be aware that the included shell scripts will create a per-user data directory (by default ~/.local/share/webpack-config) and append small log files (history.log/data.log). There are no network calls or secret reads in the provided files. If you prefer not to have persistent logs, set WEBPACK_CONFIG_DIR to a directory you control (or a tmp location) or inspect/run the scripts in a sandbox. As always, only run scripts from authors you trust or review the script contents locally before execution.
Review Dimensions
- Purpose & Capability
- okName/description (Webpack/Vite config generator) matches the included files: scripts produce webpack.config.js templates and a simple CLI-like script. No unrelated credentials, binaries, or external services are required by the code.
- Instruction Scope
- noteSKILL.md is a short instruction/metadata file and references running a CLI. The included scripts implement that CLI behaviour. The scripts do not read arbitrary system files or environment secrets, but they do create a data directory and append logs (history.log and data.log) under $WEBPACK_CONFIG_DIR or default ${XDG_DATA_HOME:-$HOME/.local/share}/webpack-config. This local write behavior is expected for a CLI that keeps history but is noteworthy.
- Install Mechanism
- okNo install spec is provided (instruction-only style). There is no download-from-URL or package install step in the manifest. The only code present are local shell scripts; nothing in the manifest writes arbitrary remote code to disk during installation.
- Credentials
- okThe skill requires no environment variables or credentials. It optionally respects WEBPACK_CONFIG_DIR/XDG_DATA_HOME to locate its data directory — no secrets or unrelated environment access is requested or used.
- Persistence & Privilege
- noteThe skill does not request platform privileges and is not always-enabled. It does persist small files under a per-user data directory (history.log, data.log, config.json path references). This is reasonable for a CLI but worth noting if you prefer no on-disk traces.