Back to skill
Skillv1.0.0
ClawScan security
Hash Utilities · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 9:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent for a local hash/generate-and-verify utility — its code, README, and declared requirements mostly match the stated purpose, with a small Python version mismatch to note.
- Guidance
- This appears to be a straightforward local hashing utility and is coherent with its description. Before installing or running it: (1) run it under a controlled environment (or inspect the repository link in SKILL.md) and ensure your runtime is Python 3.8+ (the code uses ':='); (2) only pass file paths or secrets you trust — the tool will read any file path you give it locally; (3) HMAC keys are used locally by the script — do not paste production secrets into an untrusted environment; and (4) if you need strict compatibility with Python 3.6–3.7, request or adapt a version of the code that avoids the walrus operator.
Review Dimensions
- Purpose & Capability
- noteThe name, description, SKILL.md, and the included Python script all align: the skill computes and verifies hashes (MD5/SHA/CRC32/HMAC/BLAKE2) for strings and files. However, the SKILL.md claims 'Python 3.6+' while the code uses the walrus operator (':=') in file-read loops, which requires Python 3.8+. This is a mismatch between claimed runtime and actual code requirements.
- Instruction Scope
- okSKILL.md only instructs how to hash strings/files, verify values, batch files, and generate HMACs. It does not ask the agent to read unrelated system files, environment variables, or send data to external endpoints. The CLI reads only user-specified file paths.
- Install Mechanism
- okThere is no install spec (instruction-only skill with an accompanying script). Nothing is downloaded or written during install according to metadata. The included code is pure-Python stdlib and does not require external packages.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. Its runtime uses only standard libraries (hashlib, hmac, zlib, binascii, os, argparse) which are appropriate for the stated functionality.
- Persistence & Privilege
- okThe skill is not marked always:true, does not request elevated/persistent presence, and does not modify other skills or system-wide configuration. Autonomous invocation is allowed by default but is not combined with any other concerning privileges.