Back to skill
Skillv0.1.0
ClawScan security
ThinkPHP UI Restoration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 2:32 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required resources, and behavior are coherent with its stated purpose of creating/restoring ThinkPHP .tpl UI components and do not request unrelated credentials or installs.
- Guidance
- This skill appears coherent and focused on editing ThinkPHP templates and related CSS/controller mock data. Before installing or using it, ensure the agent has access only to the intended project repository and that you review any automated edits (templates, CSS, controller changes) in a PR or backup — the skill will propose code changes that should be reviewed for correctness and security. If you plan to let an agent run autonomously with this skill, be aware it can modify project files; restrict its repository access and require human review for changes you care about.
Review Dimensions
- Purpose & Capability
- okThe name and description match the runtime instructions: the SKILL.md focuses on creating/updating .tpl templates, CSS, and mock/controller assignments within a ThinkPHP codebase. It does not request unrelated binaries, services, or credentials.
- Instruction Scope
- okInstructions are scoped to reading and editing project files (view/, public/, app/). They instruct safe template practices (default/isset) and updating mock/controller data as needed. They do not instruct reading system-wide files, environment secrets, or sending data externally.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is downloaded or written by an installer. This minimizes on-disk risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The runtime instructions reference only project paths that are appropriate for UI/template work.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or cross-skill configuration. It is user-invocable and may be invoked autonomously by the agent (platform default), which is appropriate for this functionality.