Skillv1.0.0

ClawScan security

Shed · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 5:05 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent with its stated purpose (context hygiene); it asks the agent to mask, summarize, write small memory files, and spawn sub-agents — behaviors that match the description — but it lacks provenance and does not declare storage paths, so verify runtime file handling before use.
Guidance: This skill appears coherent and matches its purpose, but before installing: (1) confirm where 'memory/YYYY-MM-DD.md' and other files will be stored, who can read them, and how long they are retained; (2) test it in a sandboxed agent runtime to verify file-IO and sub-agent behavior; (3) ensure the runtime masks or filters any sensitive data before writing; (4) note the package has no source/homepage listed and an anonymous owner — if you need provenance or accountability, request the source or prefer a skill with clear authorship. If those controls are acceptable, the skill's instructions are reasonable for managing context.

Review Dimensions

Purpose & Capability: okThe name/description (context hygiene for long-running agents) aligns with the instructions: masking tool outputs, summarization, writing compact facts to files, switching context, and spawning sub-agents are all relevant capabilities. The skill does not request unrelated credentials or binaries.
Instruction Scope: noteSKILL.md explicitly instructs the agent to write extracted facts and breadcrumbs to files (e.g., memory/YYYY-MM-DD.md), mask or delete raw tool outputs, spawn fresh-context sub-agents, and move context around. Those actions are within scope for a context-management skill but they imply filesystem and agent-management operations that can persist data; the skill does not declare any config paths or describe where those files live or how long they are retained.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — low install risk. Nothing is downloaded or written by a separate install step.
Credentials: okThe skill requires no environment variables, credentials, or external tokens, which is proportionate for the stated purpose. No extraneous secrets are requested.
Persistence & Privilege: noteThe skill does not request always:true or elevated platform privileges. It instructs spawning sub-agents and writing memory files, which are reasonable for an agent hygiene tool, but these behaviors increase persistent surface (on-disk memories, sub-agent state) and therefore rely on the runtime's sandboxing, access controls, and retention policies.