Back to skill
Skillv1.0.0
ClawScan security
Mutation Test Runner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:34 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and requirements are consistent with its stated purpose (running mutation tests); it is instruction-only and does not request unrelated credentials or persistent privileges, though it will run commands that modify the working tree and install tooling locally if invoked.
- Guidance
- This skill appears to do what it says: run mutation tests and suggest tests to kill surviving mutants. Before using it, run it on a disposable clone or feature branch (or inside a container/VM/virtualenv) because the instructions may install packages and perform temporary in-place edits to source files — interruptions could leave changes if backups are not restored. Prefer running Stryker/mutmut/PIT via project-local dev-dependencies or CI rather than global installs. Ensure the project's test suite does not perform destructive actions (external writes, DB migrations) when run. Finally, verify tool availability (rg, sed differences on macOS) and review any generated reports before committing changes. If you want, I can produce a safe wrapper script/CI job that runs these steps in an isolated environment and protects your working tree.
Review Dimensions
- Purpose & Capability
- okName/description (mutation testing) match the instructions: detecting language, invoking Stryker/mutmut/PIT/gremlins, or applying manual mutations. Nothing requested (env vars, unrelated binaries) is outside what mutation testing needs.
- Instruction Scope
- noteInstructions run test tools and, for the fallback manual flow, perform in-place edits (cp, sed, mv) to source files and then restore backups. This is expected for mutation testing, but it does involve modifying the working tree and running the project's test suite which may have side effects. The SKILL.md does not explicitly recommend running in an isolated environment (virtualenv, container, or git branch) or using safe sed flags for macOS compatibility.
- Install Mechanism
- okThere is no install spec (instruction-only). The runtime commands will install tools via package managers (npm/pip/go/maven/gradle) if missing, which is normal for this use case. These downloads come from standard registries/official build tooling rather than arbitrary URLs.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths and the instructions do not reference secrets or unrelated system credentials. Tool installation and test execution require normal developer permissions only.
- Persistence & Privilege
- okalways:false and default autonomous invocation are used (normal). The skill does not request persistent system presence, nor does it modify other skill or system configurations.