Skillv0.1.4

ClawScan security

Multilingual Semantic Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 9:31 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose, instructions, and lack of installs/credentials are internally consistent; main caution is to confirm where any 'persisted mappings' are stored so sensitive data isn't retained unexpectedly.
Guidance: This skill is coherent and low-risk: it provides an instruction-based method to rewrite/bridge multilingual queries to better match English-heavy technical artifacts and asks for nothing else. Before installing, verify two things with your platform/operator: (1) where 'persisted mappings' would be stored (assistant memory, local DB, etc.), who can read them, and how long they're retained; (2) whether the skill (or agent runs using it) will be allowed to access the specific document/memory stores you care about. If you are concerned about privacy, test with non-sensitive example queries first and review the referenced GitHub repo for any additional runtime expectations.

Purpose & Capability: okName and description match the actual content: an instruction-only bridge for improving multilingual→technical query phrasing. It requests no binaries, env vars, or unrelated resources, which is appropriate.
Instruction Scope: noteSKILL.md stays on-topic (preserve input, derive canonical intent, generate technical pivot, improve retrieval). One area to clarify: it instructs to 'persist confirmed mappings' but does not specify storage location, scope, retention policy, or consent — this could cause unintended retention of sensitive or private phrasing unless the platform or operator defines where mappings are stored.
Install Mechanism: okInstruction-only skill with no install spec, no downloads, and no code to execute. This is the lowest-risk install profile and matches the declared metadata.
Credentials: okThe skill requests no environment variables, credentials, or config paths. There are no disproportionate or unrelated permission requests.
Persistence & Privilege: notealways:false and normal autonomous invocation are appropriate. The only potential privilege concern is the implicit ability to recommend persisting mappings (learning loop). Before enabling, confirm what persistence APIs (assistant memory, local DB, etc.) the agent will use and whether the skill will be allowed to write to them.