Back to skill
Skillv3.0.2
ClawScan security
Antlr4 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 1:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a self-contained, read-only Antlr4 reference: it does not request credentials, make network calls, or perform file writes and is consistent with its description.
- Guidance
- This skill appears to be a harmless, read-only Antlr4 reference implemented as a small bash script. It does not require credentials or network access. You can install/enable it with low risk, but as with any third-party skill, review updates before accepting new versions (in case future changes introduce network access or credential use). Note only minor non-security inconsistencies (script VERSION differs from registry metadata), which don't affect behavior.
Review Dimensions
- Purpose & Capability
- okThe skill is described as an Antlr4 reference and its files (SKILL.md and a bash script) only provide documentation output. There are no environment variables, binaries, or credentials required that would be unrelated to a documentation/reference tool.
- Instruction Scope
- okSKILL.md explicitly states all commands output plain-text via heredoc and require no external API/network access. The included script prints static documentation for the documented commands and does not read other files, environment variables, or network endpoints.
- Install Mechanism
- okThere is no install spec; this is instruction-only with a small helper script. Nothing in the manifest downloads or extracts remote archives or installs packages.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The script does not access or expose any secrets or external credentials.
- Persistence & Privilege
- okalways is false and the skill does not request or modify agent/system configuration. It does not attempt to persist state or elevate privileges.