Back to skill
Skillv3.0.0
ClawScan security
Netping · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 10:44 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements match its stated purpose (network diagnostics); nothing requests unrelated secrets or installs arbitrary remote code, though there are a few minor metadata inconsistencies and operational cautions to keep in mind.
- Guidance
- This skill is coherent with its stated purpose, but review the script before running. It runs local networking utilities and performs active probes (port checks and a /24 ping sweep) which can be noisy or trigger IDS/IPS and may be disallowed on some networks — get permission before scanning networks you don't own. Ensure required tools (ping, dig/nslookup, traceroute/tracepath, curl) are available on the host; the registry metadata not listing these could cause runtime errors. If you need to restrict behavior, run the script in a controlled environment or modify it to limit scan ranges and timeouts.
Review Dimensions
- Purpose & Capability
- noteThe skill is a network diagnostic tool and the included Bash script implements ping, port checks, traceroute, DNS lookups, latency, HTTP checks, and a ping sweep — this aligns with the name/description. Note: registry metadata earlier lists "Required binaries: none" while SKILL.md and the script require standard network utilities (ping, dig/nslookup, traceroute/tracepath, curl, bash /dev/tcp). That mismatch is an informational inconsistency (might cause runtime failures) but not a security concern.
- Instruction Scope
- okSKILL.md and the script limit actions to network diagnostics using local system tools and do not instruct reading unrelated files or exporting environment variables. The script may perform many network probes (port checks, /24 ping sweep), which is expected for this purpose.
- Install Mechanism
- okNo install spec or remote downloads are used; the skill ships a local Bash script. Nothing in the package pulls code from external URLs or executes downloaded artifacts.
- Credentials
- okThe skill does not request environment variables, credentials, or config paths. All operations use local system utilities and network probes consistent with its stated function.
- Persistence & Privilege
- okThe skill does not request always:true, does not alter other skills or system-wide agent settings, and is user-invocable only — no elevated persistence or privilege is requested.