ClawHub
Back to skill
v1.0.0

Runbook Generator

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 12:46 PM.

Analysis

This appears to be a coherent local runbook generator that reads project configuration files and masks .env values rather than exposing secrets.

GuidanceThis skill looks safe for its stated purpose. Before installing or using it, remember that it reads local project configuration files, including .env files, and generates documentation from them. Use it on the intended project only and review the output before sharing.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
python3 scripts/generate_runbook.py /path/to/project

The skill is operated by running a local Python script. This is expected and central to its purpose, with no evidence of hidden install-time execution or unrelated commands.

User impactUsing the skill runs local code that reads the selected project files and generates documentation.
RecommendationReview the command and run it against the intended project path; avoid pointing it at unrelated private directories.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/generate_runbook.py
def scan_env_file(path): ... # Mask actual values, keep examples ... info["variables"][key] = "<set in .env>"

The script reads .env-style files, which may contain credential or secret configuration, but the included code explicitly masks non-example values before including them in output.

User impactThe generated runbook may reveal environment variable names and example values, but the artifacts show actual .env values are masked.
RecommendationRun it only on project directories you intend to document and review the generated runbook before sharing it.