Skillv1.0.0

ClawScan security

Test · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 19, 2026, 9:07 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions align with its stated purpose (rendering JSON schemas and using OpenAI to generate schemas), but it's instruction-only (no code or install spec) so the agent will rely on external tools and your OpenAI key being present and trustworthy.
Guidance: This skill is instruction-only and expects a materials-cli (Node) tool plus your OpenAI API key. Before installing or using it: 1) Verify the npm package name and source for 'materials-cli' (who publishes it) and prefer installing only packages you trust; installing global npm packages runs third-party code on your system. 2) Understand that using the 'generate' command will send prompts and possibly schema content to OpenAI — don't supply sensitive data. 3) Provide OPENAI_API_KEY only if you trust the package and want the agent to call OpenAI on your behalf. 4) If you prefer, run the CLI manually in a controlled environment rather than giving the agent autonomous ability to invoke it. If you want a stronger assurance, ask the skill author for the exact npm package name, repository URL, or a vetted install spec before installing.

Review Dimensions

Purpose & Capability: noteThe skill claims to be a 'materials-cli' that renders schemas and uses OpenAI for generation; requiring node and OPENAI_API_KEY is consistent. Minor inconsistency: the registry name is 'Test' while the CLI in SKILL.md is 'materials-cli' (labeling mismatch) and there is no bundled materials-cli code or install spec—so the agent will expect the external CLI to exist on the host or be installed by the user.
Instruction Scope: okSKILL.md only instructs rendering, generating (via OpenAI), and validating JSON schema files. It references schema file paths and optional OpenAI settings; it does not ask the agent to read unrelated files, harvest system secrets, or send data to unexpected endpoints beyond OpenAI.
Install Mechanism: noteThere is no install spec or bundled code; SKILL.md suggests installing 'materials-cli' via npm (-g). That means the agent/user will pull a package from the public npm ecosystem if they follow the README instructions. This is a legitimate, moderate-risk choice (npm packages are common) but the skill itself does not provide a vetted install source or package integrity information.
Credentials: okOnly OPENAI_API_KEY is required (declared as primaryEnv), which matches the documented 'generate' command that uses OpenAI. The SKILL.md also mentions optional OPENAI_MODEL and OPENAI_BASE_URL used if flags are not provided; those are optional and not required environment variables.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not declare modifications to other skills or system settings. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges.