Back to skill
Skillv2.1.1
ClawScan security
Close Loop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 6:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested actions and files are consistent with an end-of-session wrap-up workflow — it expects to read session transcripts, inspect repos, and write/move project files and memory entries; no unexplained credentials, network endpoints, or install steps are present.
- Guidance
- This skill is coherent with its stated purpose but will read session transcripts, scan repositories, run git commands, and may move or commit files. Before installing or running: 1) Confirm you trust the skill source (no homepage/origin is provided). 2) Run it in dry-run first to inspect the machine-readable JSON report and proposed changes. 3) Ensure you have backups or an easy way to revert commits/renames. 4) Be prepared to approve any push/deploy/publish operations (the skill claims to ask before doing them). 5) If you require stricter controls, request the skill explicitly declare required binaries (git) and add explicit prompts before any filesystem write operations.
Review Dimensions
- Purpose & Capability
- noteThe name/description (end-of-session wrap-up, memory consolidation, ship/publish gating) matches the instructions and included components. One minor mismatch: the registry metadata lists no required binaries, yet the runtime instructions explicitly call out git operations and filesystem changes (git status, commit, push, moving files). This is plausible for the skill's purpose but the skill should have declared that it expects a working git CLI and filesystem access to projects.
- Instruction Scope
- noteSKILL.md and component files clearly instruct the agent to: read the session transcript, inspect command outputs and diffs, scan project repositories, run git commands, move/rename documentation files, and create drafts/persistent memory records (subject to filters). These actions fall within the stated purpose, but they do give the skill the ability to read and modify repository files and to access conversation history and existing memory. The skill documents safety gates (dry-run mode, ask-before-push/deploy/publish, reject secrets), which mitigates risk. The instructions are somewhat permissive about 'find touched repos' (implies filesystem scanning) — users should expect repository-level read/write access when this skill runs.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; lowest installation risk. There is nothing downloaded or written by an automated installer as part of the skill bundle itself.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths in metadata. The behavior described (local git operations, optional push/deploy) normally requires local tooling and potentially remote git credentials — but the skill explicitly gates push/deploy/publish behind user approval or project policy and instructs not to persist secrets. Overall, requested privileges are proportionate to the stated purpose.
- Persistence & Privilege
- noteThe skill is not marked always:true (so it won't be force-included) and retains normal autonomous-invocation defaults. It is allowed to write project files, memory entries, and make commits when run — which is appropriate for a wrap-up workflow but is a meaningful level of privilege. The skill includes guardrails (dry-run, ask-before irreversible actions). Users should ensure they are willing to let the agent modify repo files and memory before granting run permission.