Skillv1.0.0

ClawScan security

Test Impact Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 1:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions match a legitimate test-impact analyzer, but the skill's metadata claims no required binaries while the SKILL.md depends on several CLI tools (git, rg, python3, bc, etc.) and the file is truncated — review before use.
Guidance: This skill's scripts appear coherent for test-impact analysis, but do not run it blindly. Before installing or invoking: 1) confirm the full SKILL.md (the provided file is truncated) and inspect any remaining commands; 2) ensure required tools (git, ripgrep 'rg' or adjust to grep, python3, bc, mktemp, find, sed, grep) are available or update the script; 3) run the commands in a trusted/local clone (it will read and scan your repository files); 4) if you are uncomfortable executing shell snippets from an unknown source, ask the author for a complete script or run the commands step-by-step manually to verify behavior. The omission of required binaries in metadata is a red flag—ask the publisher to correct it before use.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (map changed source files to tests) matches the instructions. However the registry metadata lists no required binaries or env vars, while the SKILL.md explicitly calls out numerous CLI tools (git, find, sed, grep, rg/ripgrep, mktemp, bc, python3). That metadata omission is an incoherence and could mislead users about what the skill will run.
Instruction Scope: noteThe instructions perform repository-local analysis (git diff, filesystem searches, import-chain scanning) which is appropriate for the stated task. They will read the project's files and run shell commands — expected for this tool. The provided SKILL.md is truncated near the end (a Python snippet is cut off), so the instructions may be incomplete; that should be resolved before running.
Install Mechanism: okNo install spec is provided (instruction-only). This minimizes installation risk because nothing is automatically downloaded or written to disk by an installer, but the agent will execute shell commands described in the SKILL.md.
Credentials: okThe skill does not request credentials or environment variables in metadata and the instructions do not attempt to read secrets or external service credentials. The main proportionality issue is the missing declaration of required CLI tools in metadata, not an over-broad credential request.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent/system-wide changes. It only contains runtime instructions to run locally; no autonomous or elevated persistence is requested in the metadata.