Back to skill
Skillv0.1.0
ClawScan security
Ai Agent Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 3:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a self‑contained Python utility library whose requested capabilities, files, and runtime instructions are consistent with its stated purpose; there are no obvious requests for credentials, network exfiltration, or excessive privileges.
- Guidance
- This package appears coherent and implements only local utility functions (file I/O, regex extraction, JSON/CSV conversion, simple in‑memory memory). Before installing, verify the source repository (the docs reference github.com/cerbug45 but the registry shows Source: unknown), and prefer to: (1) review the ai_agent_tools.py file yourself, (2) vendor or pin a specific commit or checksum rather than blindly wget raw code, (3) run it in an isolated virtualenv or container, and (4) avoid running with elevated privileges or on sensitive host paths. If you need higher assurance, ask the maintainer for a canonical homepage or signed release.
Review Dimensions
- Purpose & Capability
- noteThe name/description (utility library for file/text/data/memory/validation) matches the provided code and docs. Minor note: registry metadata lists 'Source: unknown' and no homepage, while the docs reference a GitHub repo (cerbug45). That inconsistency is worth verifying but does not contradict the skill's claimed functionality.
- Instruction Scope
- okSKILL.md instructs the agent to use the included Python module for local file operations, text parsing, data conversion, in‑memory storage, and validation. The runtime instructions and examples operate only on local files and in‑memory structures; they do not instruct reading unrelated system configuration, contacting external endpoints, or accessing secrets.
- Install Mechanism
- noteThere is no formal install spec in the registry (instruction-only), but the docs suggest cloning or wget from a GitHub raw URL. Using raw downloads is common for single-file libs but carries the usual risk of pulling code from an external source — verify the repository and prefer vendoring or pinning a commit/hash.
- Credentials
- okThe skill requires no environment variables, no credentials, and no special config paths. The code uses only the Python standard library and local filesystem operations, which is proportionate to the described utilities.
- Persistence & Privilege
- okThe skill does not request persistent/always‑on privileges; registry flags are default (always: false). Included files and setup.py are limited to a standard Python package layout and do not modify other skills or systemwide agent settings.