Skillv1.0.1

ClawScan security

first skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 22, 2026, 3:15 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a coherent 'skill creator' guide with two benign helper scripts (initializer and validator); nothing in the files appears disproportionate or malicious, though you should review and run the scripts intentionally because they create files on disk.
Guidance: This skill appears to be what it claims: a template and validator for authoring skills. Before using: (1) review the two Python scripts to confirm the target path you pass to init_skill.py is correct (they will create directories and files), (2) ensure you have Python available and install PyYAML if you intend to run quick_validate.py, (3) avoid running init_skill.py against system or sensitive directories to prevent accidental file creation, and (4) consider inspecting created files before executing any bundled scripts. No network access or secret exfiltration is apparent, but exercise usual caution when running downloaded scripts.

Review Dimensions

Purpose & Capability: okThe SKILL.md describes how to create and structure skills and the included scripts (init_skill.py and quick_validate.py) implement exactly that functionality (scaffold a skill directory and validate SKILL.md). The referenced storage path (~/.deepagents/<agent>/skills/) matches the stated purpose.
Instruction Scope: okInstructions are limited to skill authoring guidance and resource organization. They do not instruct the agent to read unrelated system files, contact external endpoints, or access unrelated credentials. The scripts operate on user-specified filesystem paths and SKILL.md contents only.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk. The bundled Python scripts will be written to disk when the skill is present. Note: quick_validate.py imports 'yaml' (PyYAML) and the scripts assume a Python runtime — these dependencies are not declared in the metadata.
Credentials: okThe skill declares no required environment variables or credentials and the code does not access secrets or external services. The only environment / system requirements are a Python interpreter and (for the validator) PyYAML, which are proportional to the scripts' purposes.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable. It does not modify other skills or global agent configuration beyond creating files in the target skill directory. It sets executable permission on created example script files, which is expected for a scaffold tool.