Back to skill
Skillv1.0.0
ClawScan security
analyze frontend structure · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 2:47 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with its stated purpose (scanning a frontend project directory and generating a module-page mapping), but the SKILL.md is high-level and leaves implementation details unspecified.
- Guidance
- This skill appears coherent with its description: it expects a project directory and will analyze files there. Before running it, provide only a project directory (not your entire home or system paths), or run it against a read-only copy of the repository. Ask the skill author or registry for an implementation (scripts or code) or sample output so you can verify exactly which files will be read and whether any network access is performed. If you have sensitive files in the repository, remove or move them before analysis. If you require higher assurance, request an explicit guarantee that the agent will not access paths outside the supplied directory or transmit analyzed data externally.
Review Dimensions
- Purpose & Capability
- okName/description match what the skill asks for: scanning a user-provided project directory, parsing routing/config files, and producing mapping outputs. There are no unrelated required binaries, env vars, or config paths.
- Instruction Scope
- noteSKILL.md instructs the agent to traverse and analyze a supplied directory and parse framework routing files. This is within scope, but the instructions are high-level (no concrete safe parsing rules or limits). The agent is given broad discretion about how to scan and infer modules, which could lead to unintended file reads if not constrained to the provided path.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes installation risk because nothing is written to disk by an installer.
- Credentials
- okNo environment variables, credentials, or external config paths are requested. The declared inputs (directory path, optional framework/output type) are proportional to the stated functionality.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent privileges or modify other skills' configurations. Autonomous invocation is allowed by platform default but not requested beyond normal behavior.