Back to skill
Skillv4.0.2
ClawScan security
Dropship Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 1:15 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are internally consistent: it is a local, read-only reference tool that prints static documentation and does not request credentials, network access, or unusual privileges.
- Guidance
- This skill appears coherent and low-risk: it only prints static reference text and does not access network or credentials. Notes to consider before installing: (1) the package includes a runnable shell script — confirm your agent's execution sandboxing if you allow the agent to run local binaries; (2) there are minor version mismatches (script VERSION=4.0.0, SKILL.md 4.0.1, registry 4.0.2) which likely indicate maintenance sloppiness but not malicious behavior; (3) continue to review future updates for added network calls or credential usage before upgrading, since the current approval is based on the present static content.
Review Dimensions
- Purpose & Capability
- okName/description (dropship reference) align with the included script and SKILL.md. The only code prints static documentation for the listed commands — nothing requires external services or extra credentials.
- Instruction Scope
- okSKILL.md explicitly states all output is plain-text heredoc with no network calls. scripts/script.sh implements only local printing and simple argument parsing, referencing no files, env vars, or external endpoints.
- Install Mechanism
- okNo install spec; delivered as an instruction file plus a small shell script. No downloads, package installs, or archive extraction are present.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths and the runtime script does not read any. Required privileges are minimal and proportionate to a local reference tool.
- Persistence & Privilege
- okalways is false, the skill does not request permanent presence or modify other skills/configs. It simply provides a local script and instructions to print content.