Skillv2.0.1

ClawScan security

Test Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 10:52 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (generate test templates and provide a small CLI), but there are small documentation mismatches and a truncated source file in the package that limits a complete review.
Guidance: This skill is generally coherent with its purpose: it generates test templates and provides a simple CLI that logs entries to a data directory. Before installing, consider: 1) Review the full scripts/test-generator.sh file — the provided bundle is truncated in the review copy, so unseen code could change the assessment. 2) Be aware the tool writes to ~/.local/share/test-generator (or TEST_GENERATOR_DIR) and appends every invocation to history.log; if you prefer not to keep command history, set a custom TEST_GENERATOR_DIR or inspect/clean the files. 3) Although the generator itself doesn't call the network or request credentials, many of the generated test templates assume external tools (python3, node packages, Playwright, Selenium, databases). Installing/running those generated tests will require those frameworks; the SKILL.md slightly understates this dependency. 4) Prefer running the scripts in a sandbox or review them locally before executing, especially because a portion of the script was truncated in the provided package. If you want a deeper assessment, provide the full, untruncated scripts/test-generator.sh and I can re-check for any hidden or risky behavior.

Review Dimensions

Purpose & Capability: noteName/description match the provided scripts: scripts produce unit/integration/e2e/mock test templates and a small CLI for logging data. However, SKILL.md claims "pure bash, no external dependencies" while scripts (scripts/test-generator.sh) use python3 heredocs to render templates. The mismatch is likely a documentation oversight but is worth noting.
Instruction Scope: noteSKILL.md instructs only CLI usage and setting TEST_GENERATOR_DIR; the runtime scripts only read/write files within the tool's data directory and append to a history.log. The tool does not itself make network calls or request secrets. Generated test templates reference external frameworks/endpoints (pytest, jest, Playwright, selenium, database connections, localhost:3000) but those are artifacts for the user to run later — the skill does not execute them. A portion of scripts/test-generator.sh is truncated in the provided bundle, preventing a full line-by-line review of all runtime behavior.
Install Mechanism: okNo install spec is present (instruction-only install), so nothing is downloaded at install time. The packaged scripts live in the skill bundle; there are no external install URLs or extraction steps.
Credentials: okThe skill requests no environment variables or credentials. It uses TEST_GENERATOR_DIR (or XDG_DATA_HOME/HOME) for data storage which is proportional to a CLI data-logging tool. It writes only to its own data directory and history.log; no unrelated secrets or system config paths are requested.
Persistence & Privilege: okalways:false and no special privileges requested. The skill writes files only under its own data directory (~/.local/share/test-generator by default) and does not modify other skills or system-wide agent settings.