Back to skill
Skillv3.4.1
ClawScan security
Icon · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 7:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose (generating, converting, and managing icons) and do not request unrelated credentials or installs.
- Guidance
- This skill appears to do what it says: a self-contained bash script for creating and converting icons. Before running it, review the script (you already have it), run it on directories you control, and avoid running it as root. The convert path uses external tools (ImageMagick 'convert' or 'rsvg-convert') — ensure those are from trusted packages and be cautious processing untrusted images because past ImageMagick vulnerabilities have allowed code execution. Note the script expects GNU-style utilities (example: grep -oP for PCRE); behavior may vary on some systems. If you need higher assurance, run the script in an isolated environment (container) and verify any third-party binaries it invokes are up-to-date.
Review Dimensions
- Purpose & Capability
- okThe name/description (icon generation, conversion, sprites, favicons) matches the included SKILL.md and the bash script which implements generate, sprite, convert, search, resize, and favicon operations. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okSKILL.md directs the agent to run the included bash script with explicit arguments. The script only reads user-specified files/directories and writes outputs to user-specified output paths; it does not attempt to read unrelated system configuration, environment secrets, or contact external endpoints.
- Install Mechanism
- okThere is no install spec; the skill is instruction + a local shell script. No remote downloads or archive extraction are performed by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials, and the script does not access external secrets. It does call external image tools if available (ImageMagick 'convert', librsvg 'rsvg-convert'), which is appropriate for image conversion features.
- Persistence & Privilege
- okalways is false and the skill does not request permanent or elevated platform privileges or modify other skills' configurations. It operates locally and on files/paths provided by the user.