Back to skill
Skillv1.0.0
ClawScan security
Api Documentation Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 1:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requested actions (scanning project files to extract routes and types) are consistent with its stated purpose of generating API documentation.
- Guidance
- This skill is coherent with its purpose and poses low intrinsic risk because it only instructs the agent to scan local project files. Before running it, consider: run it on a copy of repositories that may contain secrets or sensitive data (it will read source files), review generated docs before sharing externally, and avoid granting the agent access to system files or private credentials. If you want additional assurance, run the grep/python commands manually in a sandboxed environment first to confirm the output.
Review Dimensions
- Purpose & Capability
- okThe name/description match the runtime instructions: the SKILL.md shows commands to detect frameworks, grep route definitions, and analyze types/models — all of which are appropriate for generating API docs from source code.
- Instruction Scope
- okThe instructions only direct the agent to read repository files (package.json, requirements.txt, source directories) and run local text-processing (grep, small python snippet). There are no steps that request reading unrelated system files, network exfiltration, or calling unknown external endpoints.
- Install Mechanism
- okNo install specification or third-party downloads are present. This instruction-only skill does not write code to disk or fetch executables, so installation risk is low.
- Credentials
- okThe skill does not request environment variables, credentials, or config paths. That is proportionate for a static-analysis documentation task; it attempts to infer auth/rate-limit info from code rather than asking for secrets.
- Persistence & Privilege
- okalways is false and there is no mechanism shown that would alter other skills or persist beyond the agent run. The skill does not request elevated or continuous privileges.