Back to skill
Skillv2.0.0
ClawScan security
Font Pairing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:53 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose (font pairing and preview helpers); the included scripts are simple local helpers that only print guidance and write a small history log under the user's data dir.
- Guidance
- This skill appears to be what it claims: a font/design helper that prints recommendations and can generate preview HTML. Before installing, note that the scripts will create a per-user data directory (by default ~/.local/share/font-pairing) and append to history.log; you can override the location via FONT_PAIRING_DIR if you prefer. There are no network calls or credential requirements. If you are uncomfortable with any local file writes, review or run the scripts manually to confirm behavior, or set FONT_PAIRING_DIR to a location you control or to /tmp before use.
Review Dimensions
- Purpose & Capability
- okName/description (font pairing, Chinese fonts, web-font loading, preview HTML) align with the provided SKILL.md and the two scripts. The scripts produce text prompts, sample output, and a small set of design helper commands — all coherent with a font/design utility.
- Instruction Scope
- okSKILL.md and scripts limit their actions to producing recommendations, example HTML/CSS, and CLI-style output. They do not attempt to read unrelated system files, network-post data, or ask for credentials. The runtime behavior is constrained to generating content and handling CLI args.
- Install Mechanism
- okNo install specification is present (instruction-only plus small scripts). No downloads, package installs, or external installers are declared.
- Credentials
- noteThe repository declares no required env vars, which matches its purpose. The script references optional environment variables FONT_PAIRING_DIR and XDG_DATA_HOME and uses HOME as a fallback to build a data directory (~/.local/share/font-pairing). This is reasonable for storing a local history log, but users should know the skill will create and write files under that path.
- Persistence & Privilege
- notealways:false and model invocation is allowed by default (normal). The only persistence is creation of a per-user data directory and appending to history.log there; the skill does not modify other skills or system settings. Users should be aware of the small local file write.