Back to skill
Skillv0.2.0
ClawScan security
๐ฆ Unicon CLI ยท ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 14, 2026, 5:22 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (managing icons via the Unicon CLI) matches what it asks for and instructs: it only requires node, installs the @webrenew/unicon npm package, and its runtime steps operate on project files and the Unicon API โ no unrelated credentials or spooky install sources are requested.
- Guidance
- This skill appears to do exactly what it says: it requires node and installs the @webrenew/unicon npm CLI which will read package.json, create/modify `.uniconrc.json`, and generate icon component files in your project. If you plan to install it globally, consider: (1) prefer using npx or a local devDependency if you don't want a global binary; (2) review the package source on npm/github (https://github.com/WebRenew/unicon and https://unicon.sh) before installing to confirm behavior; (3) be aware that running `unicon skill --all` or similar will write assistant/IDE files into many directories โ run that only if you intend it; (4) no credentials are required, but you may want to audit the generated files produced in your repo and CI. Overall there are no incoherent or disproportionate requests in the skill materials.
Review Dimensions
- Purpose & Capability
- okName/description describe a CLI for searching, bundling, and generating icon components. The only required binary is node and the install spec is the @webrenew/unicon npm package โ both are proportionate and expected for this purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to read project files (package.json for framework detection) and to create/manage `.uniconrc.json` and icon output directories. It also documents a `unicon skill` command that writes assistant skill files into various IDE/assistant directories if run. Those file reads/writes are consistent with the stated functionality but are actions that will modify the user's project and may create files in multiple assistant-related folders if the user invokes the skill installer.
- Install Mechanism
- okInstall spec uses the npm package @webrenew/unicon (global install). This is a standard, traceable package installation mechanism; there are no direct-download URLs, extract operations, or obscure hosts in the install instructions.
- Credentials
- okThe skill declares no required environment variables or credentials. The references mention optional vars (UNICON_API_URL, UNICON_CACHE_DIR, UNICON_NO_CACHE) which are reasonable for configuring a CLI that talks to an API and manages a cache. No unrelated secrets are requested.
- Persistence & Privilege
- noteThe skill is not marked always:true and allows normal autonomous invocation. The documented `unicon skill --ide/--all` feature can write files into many assistant/IDE directories; this is consistent with a command that installs helper files but is an operation the user should be aware of before running.