Back to skill
Skillv1.0.0
ClawScan security
Bun Workspace Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 2:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, file accesses, and suggested commands are consistent with a Bun workspace optimizer and do not request unrelated credentials or installs, though it assumes local tools exist without declaring them.
- Guidance
- This skill appears coherent and safe in purpose: it analyzes repository layout and package.json files and suggests Bun-specific optimizations. Before using it, ensure the agent runtime has bun, python3, and standard Unix tools (find, cat) available — the skill assumes these but does not declare them. Also be aware the skill's commands will read your repository files (package.json, CI configs, bunfig.toml, Dockerfiles); run it in a trusted environment or on a copy of the repo if you are concerned. Finally, review any suggested automated changes before applying them (e.g., hoisting dependencies, changing CI commands, or migrating build tools).
Review Dimensions
- Purpose & Capability
- noteName/description align with the instructions: all steps (workspace discovery, dependency analysis, build profiling, migration guidance) relate to Bun monorepos. Minor inconsistency: SKILL.md expects local tools (bun, python3, find, cat) but the skill metadata lists no required binaries.
- Instruction Scope
- okRuntime instructions only read repository files (package.json, bunfig.toml, pnpm-workspace.yaml, CI config, Dockerfile) and run local analysis commands. These actions are appropriate for the stated purpose. No instructions attempt to read unrelated system credentials or external endpoints.
- Install Mechanism
- okNo install spec and no code files — lowest install risk. The skill is instruction-only, so nothing will be downloaded or written by an installer.
- Credentials
- okThe skill declares no required environment variables or credentials and the instructions do not reference secrets. Mentions of registries/CI are advisory and not tied to requesting credentials.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged presence or modification of other skills or agent-wide config.