Skillv1.0.0

ClawScan security

Project Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 11:14 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only project management skill that only creates and edits local markdown project files and dashboards; its requirements and behavior are consistent with its stated purpose.
Guidance: This skill is internally consistent, but before enabling it: (1) back up any existing projects/ directory (it will create and update markdown files there); (2) review the generated files the first time the skill runs to ensure formatting and content meet your needs; (3) confirm how your agent's 'memory' and other integrated skills handle data, since the skill suggests logging decisions to memory (this may expose project contents to other agent components); (4) if you want to limit scope, run it in a sandboxed workspace or restrict the agent's filesystem access to the intended projects/ folder; (5) because the skill has no human-reviewed source/homepage, be cautious about enabling any autonomous workflows that would share project data externally.

Review Dimensions

Purpose & Capability: okThe name/description (multi-project tracker, dashboards, stalled detection, weekly reports) align with the runtime instructions: creating/updating files under projects/, maintaining DASHBOARD.md, scoring/prioritizing projects, and producing weekly reviews. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: okSKILL.md instructs the agent to create/read/update markdown files in a projects/ directory, produce reports, and detect stalled projects based on recent progress entries. It does not instruct the agent to read arbitrary system files, access network endpoints, or exfiltrate data. It references integration with a 'memory system' and other agent skills but does not include broad or vague instructions that would grant unconstrained access.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. Nothing will be downloaded or written by an installer step as part of installation.
Credentials: noteThe skill declares no required environment variables or credentials, which is proportionate. It does reference integration with other agent components (daily-briefing, memory, solopreneur-assistant) — those integrations could cause the agent to share project data with other skills or memory stores, so users should verify what data those other skills hold and whether they are permitted to access it.
Persistence & Privilege: okNo special persistence or elevated privileges are requested (always:false). The skill will operate by creating/updating files in a user-visible projects/ directory — normal behavior for a tracker — and does not attempt to modify other skills' configurations or system-wide settings.