Skillv1.0.0

ClawScan security

Peter Bugfix Loop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 6:54 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that prescribes a disciplined bug-fix workflow and does not request additional binaries, credentials, or install steps — its declared scope matches its instructions.
Guidance: This skill is an instruction-only checklist for handling bugs and appears internally consistent. Before enabling it, verify: (1) your agent environment (or the user) has the necessary repo and CI access that the referenced 'peter-*' commands expect — those credentials are not declared by the skill; (2) you are comfortable with the agent reading code and tests in scope when you invoke it (the workflow requires inspecting related source files); and (3) any outputs (bug reports, reproduction scripts, logs) do not inadvertently include secrets. If you do not have the Peter tooling in your environment, the skill's hooks will be no-ops or may cause errors — that's expected behavior, not a security issue.

Purpose & Capability: okName/description (bug-fix loop) match the SKILL.md content: reproduce, diagnose, minimal fix, tests, and hook into existing Peter PR/gate processes. No unrelated requirements are present.
Instruction Scope: okInstructions are procedural and scoped to bug reproduction, root-cause hypothesis, minimal changes, and tests. They do not instruct reading unrelated system files or exfiltrating data. They reference running/using internal 'peter-*' gates but only as part of the stated workflow.
Install Mechanism: okNo install spec or code files — instruction-only. No downloads or archive extracts, so minimal installation risk.
Credentials: noteThe skill declares no env vars or credentials (proportional). It does reference internal tooling commands (peter-code-review, peter-commit-ops, peter-ci-gate, peter-pr-ops). If those commands require credentials or access to repos/systems at runtime, access must be provided by the agent environment — the skill itself does not request or document those credentials.
Persistence & Privilege: okalways is false and there is no install-time persistence. The skill does not request or modify other skills' configs or system-wide settings.