Skillv3.0.2

ClawScan security

Autohotkey · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 24, 2026, 1:11 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is an instruction-only Autohotkey reference (static text outputs) and its files and declared requirements are consistent with that purpose.
Guidance: This skill appears to be a harmless static reference: the included shell script only prints documentation and does not access network, files, or secrets. Before installing, you can (1) confirm the skill came from the linked GitHub repo and inspect the repo history for tampering, (2) verify the script has not been modified in your installation, and (3) run it in an isolated environment if you want extra assurance. There are no obvious red flags, but as with any third-party code, review updates and the source before trusting it in sensitive or multi-tenant environments.

Purpose & Capability: okName/description match the provided assets: SKILL.md documents a reference tool and the included script only prints static reference text. No unrelated credentials, binaries, or services are requested.
Instruction Scope: okSKILL.md instructs the agent to return plain-text reference docs and explicitly states no external API calls or network access. The bundled shell script implements only heredoc outputs and a small CLI dispatch—it does not read files, environment variables, or perform network I/O.
Install Mechanism: okNo install specification is provided (instruction-only plus a local script). Nothing is downloaded or extracted; risk from install-time behavior is minimal.
Credentials: okNo environment variables, credentials, or config paths are required or referenced. The script does not access secrets or external tokens.
Persistence & Privilege: okSkill is not forced-always, does not request persistent system presence, and contains no code to modify other skills or global agent configuration.