Back to skill
Skillv3.0.0
ClawScan security
Skill Refiner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 5:59 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only linter that reads SKILL.md files and writes a local review log; its requested actions are consistent with its stated purpose.
- Guidance
- This skill appears to do what it says: audit SKILL.md files and save a local markdown report. Before installing, confirm your agent environment has grep, curl, and python3 available (the SKILL.md expects them though metadata doesn't list them). Be aware it will read every skills/*/SKILL.md in the workspace and append reports to memory/skill-refiner-log.md (so review that file for any sensitive content you don't want aggregated). The link-check step is optional but will make outbound HTTP requests — disable it if you want a fully offline review. Run it manually once to verify behavior and check that saving reports to the 'memory' location aligns with your privacy/policy requirements.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the runtime instructions (it audits SKILL.md files, scores quality, and writes a report). Minor metadata mismatch: the registry lists no required binaries, but SKILL.md explicitly expects grep, curl, and python3 — these are reasonable for the stated task but should be declared in the registry metadata.
- Instruction Scope
- okInstructions stay within scope: they read skills/*/SKILL.md, analyze frontmatter/content/code blocks/references, and produce a report. The only external action is an optional link freshness check (HTTP requests). The skill documents 'read-only' behavior and explicitly forbids editing certain files (SOUL.md, MEMORY.md, AGENTS.md).
- Install Mechanism
- okNo install spec and no code files — lowest-risk model. The skill is instruction-only and does not download or execute external archives.
- Credentials
- okThe skill requests no credentials or config paths. It operates on repository files and creates a local report; no secrets or unrelated env vars are required.
- Persistence & Privilege
- notealways:false (normal). It writes a report to memory/skill-refiner-log.md which is persistent within the agent workspace; users should confirm that storing aggregated review output there is acceptable. Autonomous invocation is allowed by default but not excessive for this utility.