Skillv2.0.0

ClawScan security

Performance Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 6:56 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill and included scripts appear to do what the description says (generate performance-review templates and store simple local logs); no network calls or unrelated credential access are present in the visible code, but part of review.sh was truncated in the provided listing so full certainty is limited.
Guidance: This package appears to be a local performance-review template generator and utility: it uses python3 and shell to print templated reports and to store simple logs under a data directory (default: ~/.local/share/performance-review). Before installing/running: (1) inspect the full contents of scripts/review.sh (the provided listing was truncated) to confirm there are no unexpected network calls or data exfiltration in the missing tail; (2) avoid running as root; run it as your normal user so data files are created in your home directory; (3) if you prefer logs elsewhere, set PERFORMANCE_REVIEW_DIR or XDG_DATA_HOME to a directory you control; (4) do not feed highly sensitive HR data unless you are comfortable with it being stored in the local data directory or have moved the directory to a secured location; (5) ensure python3 is available. If you want higher assurance, run the scripts in a sandboxed environment or review the complete, untruncated source before use.

Purpose & Capability: okName/description match the delivered artifacts: SKILL.md instructs running local review scripts and the repository includes review.sh, a utility script, and a tips.md. Required capabilities (none) align with a text/template generator.
Instruction Scope: noteSKILL.md instructs running local scripts (scripts/review.sh) which generate templated reports. The visible portions of review.sh only accept command-line inputs and produce local text output; they do not read unrelated system files or send data externally. However, the provided listing of review.sh is truncated mid-file, so the tail of the script wasn't available for review—this is the primary uncertainty.
Install Mechanism: okNo install spec; instruction-only plus scripts. Nothing is downloaded or installed automatically by the skill bundle.
Credentials: okNo required environment variables or credentials. scripts/script.sh optionally respects PERFORMANCE_REVIEW_DIR or XDG_DATA_HOME to locate a data directory; this is reasonable for local data storage and proportional to the stated purpose.
Persistence & Privilege: noteThe skill does not run as a persistent service or request elevated privileges, but scripts/script.sh creates a data directory (default ~/.local/share/performance-review) and writes logs/data there (data.log, history.log). This local persistence is expected for a utility that stores user entries, but users should be aware that report contents are stored on disk.