Back to skill
Skillv1.0.0
ClawScan security
Cargo.toml Validator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 11:49 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are consistent with a local Cargo.toml validator: it requires no external credentials, no installers, and the included Python script appears to perform only static checks on the provided manifest file.
- Guidance
- This skill appears coherent and locally scoped: it runs a bundled Python script to check a Cargo.toml and requires no external credentials or installers. Before running in a production environment, you may want to: (1) review the full scripts/cargo_toml_validator.py file to confirm there are no network calls, subprocess.exec calls, or unexpected file writes beyond the manifest being checked; (2) run it in a sandbox or on a sample project to confirm behavior; and (3) ensure your Python runtime is 3.11+ (tomllib is stdlib there). The included code looks consistent with the stated purpose, so installing is reasonable if you trust the skill author, but always inspect bundled code you will execute locally.
Review Dimensions
- Purpose & Capability
- okName/description (Cargo.toml validation) align with the provided CLI instructions and the included Python script which parses and analyzes manifest content; nothing required or requested appears unrelated to the stated purpose.
- Instruction Scope
- okSKILL.md directs the agent to run the included script against a specified Cargo.toml and to produce validation output; the instructions do not ask the agent to read unrelated system files, access credentials, or transmit data to external endpoints.
- Install Mechanism
- okNo install spec is present (instruction-only invocation with a bundled script). This avoids remote downloads or installs; the script runs locally using the system Python and tomllib (stdlib in Python 3.11+).
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no indication in the SKILL.md or the visible portion of the script that it accesses unrelated secrets or environment data.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills or agent-wide settings based on the provided materials.