Back to skill
Skillv1.0.0
ClawScan security
Monorepo Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 11:45 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's behavior (reading repo files and running local Python/shell snippets to analyze a monorepo) matches its description; there are no unexpected network calls, credentials, or install steps, though the SKILL.md assumes Python and common shell tools without declaring them.
- Guidance
- This skill appears to do what it says: it parses repository manifests and computes dependency/graph analyses locally. Before installing/using it: 1) note the SKILL.md assumes Python 3 and common shell utilities (grep, cat) though these are not declared — ensure you have Python 3 available. 2) The skill runs local shell/python snippets that read files under your repository root; it does not contact external networks or request secrets, but it will read package manifests and other repo files — only run it on repositories you trust or in an isolated environment. 3) Because the skill source/author is unknown, prefer running its commands manually the first time (inspect SKILL.md and run them in a controlled shell) or ask the author for provenance if you need stronger assurance.
Review Dimensions
- Purpose & Capability
- noteThe skill's instructions operate on workspace manifests (package.json, pnpm-workspace.yaml, Cargo.toml, go.work, etc.) and perform dependency/build-order analysis — this matches the stated purpose. Minor inconsistency: the SKILL.md relies heavily on python3 and standard POSIX tools (grep, cat) but the registry metadata lists no required binaries.
- Instruction Scope
- okInstructions are concrete shell + python snippets that read and parse repository files (package.json, lerna.json, nx.json, Cargo.toml, etc.), glob for package.json files, and print analysis results. They only reference project files and produce local output (including suggested Mermaid diagrams). They do not request external network endpoints or unrelated system paths.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files, so nothing is downloaded or written to disk by the skill itself — lowest install risk.
- Credentials
- okNo credentials, environment variables, or config paths are requested or used. The skill operates on repository files only, which is appropriate for its purpose.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent platform privileges; it is user-invocable and may be invoked autonomously per platform defaults (normal behavior).