Skillv1.0.0

ClawScan security

PowerShell Reliable Execution · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 7:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that provides PowerShell best-practice patterns and verification checks; it requests no credentials, installs nothing, and its actions are consistent with its stated purpose.
Guidance: This skill is coherent and appears to do what it says: teach and verify reliable PowerShell execution patterns. Before using: (1) review any scripts you run that were produced or modified based on these patterns, especially checkpoint files — they live in the working directory and could accidentally include sensitive state if misused; (2) never run unreviewed code from unknown sources with elevated privileges; (3) treat the secret-detection heuristics as helpful but imperfect (they can miss secrets or generate false positives) — perform an independent review for hardcoded credentials; (4) test long-running or background-job patterns in a safe environment to ensure they behave as expected.

Review Dimensions

Purpose & Capability: okThe name and description (reliable PowerShell execution, error handling, checkpointing) match the SKILL.md content. The skill does not request unrelated credentials, binaries, or installs, and all examples focus on local PowerShell patterns that are appropriate for the stated goal.
Instruction Scope: okAll runtime instructions remain within the domain of authoring/running PowerShell scripts: safe command chaining, parameter handling, path handling, checkpointing, retry logic, and local file scanning for secrets. The guidance instructs scanning scripts and writing checkpoint files in the working directory — which is reasonable for this purpose but means users should review what files will be scanned or written before running on sensitive directories.
Install Mechanism: okNo install spec or code files that would be downloaded or executed are present; this is instruction-only content, which minimizes supply-chain/infrastructure risk.
Credentials: okThe skill declares no required environment variables or credentials. It references common environment variables (e.g., $env:USERPROFILE, an example $env:MY_API_KEY) only as examples; this is proportionate to the guidance. Users should note the skill shows patterns for using environment variables and SecureString but does not require any secrets itself.
Persistence & Privilege: okThe skill does not request persistent installation, elevated privileges, or always-on inclusion. It recommends storing checkpoint files in the working directory only and does not modify other skills or global agent settings.