Skillv1.0.2

ClawScan security

Markdown Docs Full-Text Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 1:16 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill and bundled scripts are internally consistent with a local Markdown full‑text search tool: they index and search local .md files, create a local SQLite FTS5 DB, and do not request credentials or perform network exfiltration.
Guidance: This bundle appears to be a straightforward local Markdown indexing/search tool. Before installing/running: 1) Confirm you will point the tool at an intended docs directory — it will read all *.md files recursively and create a SQLite DB (e.g., competitor_docs.db) in or near that directory. 2) Note there are no network calls or credential requests in the code, so it does not exfiltrate secrets. 3) The included code references 'competitor' and product names in comments and _meta.json (slug/version mismatch with the registry metadata) — this is likely repurposed code and not a functional risk, but you may want to verify the source if provenance matters. 4) Ensure your Python runtime has SQLite built with FTS5; otherwise searches may fail. 5) If you run it against very large directories, expect disk and CPU usage while building the index. If you need further assurance, run the scripts in a controlled environment (a temporary directory or container) to observe behavior and output before pointing them at sensitive folders.

Purpose & Capability: okThe name/description (Markdown full‑text search) matches the included scripts and SKILL.md: indexing, FTS5 search, source URL extraction and CLI helpers. Minor naming artifacts reference 'competitor' and specific product names (e.g., Commvault) in code/comments, but this appears to be reuse of an implementation rather than a capability mismatch.
Instruction Scope: okSKILL.md instructs only local operations (index a docs directory, run searches, view status/get articles). The scripts perform file I/O on the provided docs_dir, compute hashes, build/inspect a local SQLite DB, and parse text — they do not make network requests or read unrelated system files or environment variables.
Install Mechanism: okNo install spec is provided (instruction-only skill with included scripts). Nothing is downloaded or installed automatically by the skill; code is bundled and runs locally. This is the lowest-risk install model.
Credentials: okThe skill requests no environment variables, credentials, or config paths. All required inputs are user-supplied (a documentation directory and optional db path).
Persistence & Privilege: okThe skill is not always-enabled and does not modify other skills or system-wide agent settings. It writes a local SQLite DB (by default into the docs directory or working directory), which is appropriate for an indexing tool.