Skillv1.0.1

ClawScan security

Dev Task · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 8:23 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a local project versioning/archival helper and do not request unrelated credentials or network access.
Guidance: This skill appears coherent and focused on local version/archival workflows. Before using: (1) run init-version.sh with the correct project path to avoid accidental copies/overwrites; (2) inspect versions/ after a run to confirm only intended files were copied (the script will copy src/public/package files and may include secrets if they exist in the project); (3) be cautious with the deployment instructions that suggest running systemctl as root or pm2/npm commands — those require appropriate privileges and operational review; (4) note sed -i usage may behave differently on macOS (BSD sed) and cp may overwrite files — test in a safe environment or a backup branch first. There are no signs of network exfiltration or hidden endpoints in the included files.

Review Dimensions

Purpose & Capability: okThe name/description (versioned development task management) matches the included SKILL.md, templates, and init-version.sh script. Required actions (mkdir, cp, sed, copying project files, updating docs, pm2/npm references for deployment) are proportional to the stated purpose.
Instruction Scope: okRuntime instructions confine themselves to local project operations: checking/creating versions/, copying templates, archiving project files, and local rollback/deploy steps. No instructions attempt to read unrelated system config, network endpoints, or secrets. Deployment notes mention systemctl/pm2/npm which are relevant to deployment tasks but are only documentation/commands the user would run.
Install Mechanism: okNo install spec — instruction-only plus a small helper script (scripts/init-version.sh). The script is straightforward: it validates args, copies templates, replaces placeholders, and backs up project files. No downloads, extract steps, or external URLs are executed by the skill itself.
Credentials: okThe skill declares no required environment variables or credentials. Templates reference editing a .env in deployment documentation, which is expected for deployment instructions but not requested by the skill. Nothing asks for unrelated secrets or cloud credentials.
Persistence & Privilege: okalways:false and no code attempts to persist across agents or modify other skills. The skill operates on user-supplied project paths and does not register itself for permanent/autonomous elevation.