Skillv1.0.0

ClawScan security

Prettierrc Validator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 11:45 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements align with the stated purpose (validating Prettier config files); it requires no credentials, no installs, and the bundled script only reads and validates config files.
Guidance: This skill appears coherent and low-risk: it bundles a Python script to lint Prettier configs and requires no credentials or installs. Before using it, you may want to (1) quickly scan the included scripts yourself or run them in a sandbox/CI runner on a non-production machine, (2) avoid running it against code you don't trust if you have policies about reading repository files (the tool reads config files you point it at), and (3) be aware that optional dependencies (PyYAML, tomli) are standard parsers — if you install them, use official package sources (PyPI) to avoid supply-chain risks. If you need guarantees beyond this review, run the script with a Python security scanner or inspect the remainder of the file not shown in the truncated preview.

Purpose & Capability: okName/description match the provided code and SKILL.md. The bundled Python script implements config parsing and lint rules for Prettier options; there are no unrelated credentials, binaries, or platform hooks requested.
Instruction Scope: okRuntime instructions are explicit: run the included Python script against config files. The script reads the specified config file(s) and parses JSON/YAML/TOML (with fallbacks) and does not attempt to read unrelated system files, environment variables, or call external endpoints. JS configs are explicitly excluded from static validation.
Install Mechanism: okNo install spec is present (instruction-only with a packaged script). No remote downloads or binary installs are requested; optional dependencies (PyYAML, tomli) are standard parsing libraries and only used if present.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code does not reference any secrets or external service tokens.
Persistence & Privilege: okalways is false and the skill does not request persistent system modifications or modify other skills' configurations. It does not install background services or enable permanent agent-level privileges.