Skillv1.0.0

ClawScan security

File Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 4:01 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent with its stated purpose (a CLI file-search tool) and has no network calls or hidden endpoints, but there are small inconsistencies you should review before installing (runtime/dependency and license declarations) and remember it will read files you ask it to scan.
Guidance: This skill appears to be what it says: a CLI file-search utility implemented as a bash script with embedded Python. Before installing or running it: (1) verify license mismatch (SKILL.md: Apache-2.0 vs script header: MIT) and confirm you are comfortable with the stated copyright/terms; (2) be aware the script uses system 'find', 'stat', and Python3 — ensure those are present and acceptable; (3) avoid running it against sensitive directories or as root because it will read file metadata and, in duplicate mode, read portions of files; (4) if you require stricter guarantees, inspect the script yourself (it is short and readable) or run it in a confined environment. Overall there are no network exfiltration signs or unexplained credentials requested.

Review Dimensions

Purpose & Capability: noteThe skill claims to be a 'find' alternative and the included bash script implements find-like commands (find/ext/large/recent/dup/summary/tree). That capability matches the name/description. Minor mismatch: the registry lists no required binaries, but the script uses system tools (find, stat, tree optionally) and embeds Python3 snippets — so the declared requirements are incomplete.
Instruction Scope: noteSKILL.md instructions are minimal and the runtime behavior is entirely in the provided script. The script will traverse directories, read file metadata and (for duplicate detection) read up to 64KB from files to compute MD5 slices. This is expected for a file-finder/dup tool but means it will read file contents you point it at (so avoid scanning sensitive system areas or running as root).
Install Mechanism: okNo install spec (instruction-only) and no network downloads; the only code is a local bash script. Nothing in the manifest attempts to fetch or execute remote artifacts.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate. However SKILL.md lists runtime: python3 while the top-level metadata declares required binaries: none — in practice Python3 (and standard Unix tools) are needed for some commands. Also SKILL.md lists Apache-2.0 but the script header claims MIT license — license mismatch should be clarified.
Persistence & Privilege: okThe skill does not request persistent installation, special privileges, or always-enabled status. It does not modify other skills or system-wide configs according to the provided files.