Skillv2.1.0

ClawScan security

File Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 19, 2026, 12:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a local file-format conversion utility and do not request credentials or make network calls; minor documentation/organization issues exist but nothing appears malicious.
Guidance: This skill appears to be a local file conversion toolkit and does not request credentials or make network calls. Before installing: (1) note there are two bundled scripts with overlapping commands — verify which script your agent will execute; (2) the README mentions a data directory (~/.file-converter/) but the code does not write there — if you expect persistent storage, inspect/modify the scripts; (3) there is a small bug/comment in cmd_base64_dec (it currently does not perform decoding) — test commands on non-sensitive sample files first; and (4) because the skill executes shell and Python code on files you provide, avoid running it on highly-sensitive files unless you review the scripts or run them in a sandbox.

Review Dimensions

Purpose & Capability: noteThe skill name/description (file format conversions) matches the provided scripts: they implement JSON/YAML/XML/CSV/Markdown conversions, minify/prettify, encoding, and file inspection. Minor incoherences: SKILL.md claims data is stored under ~/.file-converter/ but I found no code writing to that path, and there are two overlapping scripts (scripts/script.sh and scripts/convert.sh) with partly duplicated command sets which could cause confusion about which script the agent will run.
Instruction Scope: okSKILL.md instructs the agent to run bundled shell scripts which operate on local files and use Python and standard Unix utilities. The scripts do not read unrelated system files, do not call external network endpoints, and do not reference credentials or other secrets.
Install Mechanism: okThere is no install spec (instruction-only), and the bundle includes only local shell and Python scripts. No downloads, package installs, or archive extraction are requested.
Credentials: noteNo credentials or sensitive environment variables are required. SKILL.md lists an optional FILE_CONVERTER_DIR variable (default ~/.file-converter/), but the scripts do not appear to use or write to that directory — this is a documentation/config mismatch rather than a credential request.
Persistence & Privilege: okThe skill does not request permanent presence (always:false). It does not modify other skills or system-wide configuration. Agent autonomous invocation is allowed by default (normal) and not combined with other red flags.