Back to skill
Skillv1.0.0
ClawScan security
Evidence URL Verifier · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 10:23 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior are coherent with its stated purpose (verifying evidence URLs and local artifact existence); it is an instruction-only PowerShell checklist with no hidden installs or credential requests.
- Guidance
- This skill is coherent and limited in scope, but be aware of practical risks: it runs network requests and may read local paths you provide — do not supply sensitive or private URLs unless you intend the agent to fetch them. The instructions are PowerShell-specific, so ensure the execution environment supports PowerShell before relying on it. Consider restricting which paths the skill may check, avoid sending credentials to verify protected resources, and confirm rate-limiting to prevent accidental scanning of many URLs. If you need the agent to check URLs behind authentication, prefer explicit, scoped credentials rather than pasting secrets into URLs or content fields.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime instructions: the SKILL.md shows URL HEAD/GET checks, content-type and placeholder detection, and Test-Path checks for local artifacts. There are no unrelated environment variables, binaries, or installs requested.
- Instruction Scope
- noteInstructions are narrowly focused on HTTP checks and local file existence. They do include examples that fetch content from supplied URLs and check local artifact paths; this is within scope but means the agent will attempt network requests and local filesystem reads for whatever URLs or paths it is given. The skill advises redaction and rate-limiting, which is appropriate.
- Install Mechanism
- okNo install spec and no code files — instruction-only — so nothing will be written to disk or downloaded by the skill itself.
- Credentials
- okThe skill requests no credentials, environment variables, or config paths. Its operations (HTTP requests, local path checks) do not require additional secrets as written.
- Persistence & Privilege
- okalways is false and autonomous invocation remains the platform default; the skill does not request permanent presence or changes to other skills or system-wide settings.