Back to skill
Skillv1.1.0
ClawScan security
JSON Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 6:34 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a small, self-contained JSON CLI tool whose code and runtime instructions match the description and do not request extra credentials or hidden network access.
- Guidance
- This tool appears safe and does what it claims, but note: it will read any file you pass to it (or data piped to stdin) and can overwrite the output path you specify. Because the package has no homepage and an unknown source owner, run it in a trusted or isolated environment if you are cautious, verify the included main.py matches your expectations, and avoid piping untrusted network data into the script without inspection.
Review Dimensions
- Purpose & Capability
- okName/description (pretty-print, validate, minify, query, sort) match the included Python script. The required resources are minimal and proportional to a JSON utility.
- Instruction Scope
- okSKILL.md instructs running the provided script and using stdin/stdout or files; examples (including piping from curl) are consistent with a JSON tool. There are no instructions to read unrelated files, environment variables, or to exfiltrate data.
- Install Mechanism
- okNo install spec. The skill is instruction-only with an included Python file (no external downloads or package installs). The script uses only the Python standard library.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The tool reads only the user-specified input (file or stdin) and optionally writes to a user-specified output file.
- Persistence & Privilege
- okalways:false and user-invocable:true (normal). The skill does not request persistent privileges or modify other skills or global agent settings.