Back to skill
Skillv1.5.0
ClawScan security
Godot Game Claw Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 5:03 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match the stated purpose (a Node-based CLI that scaffolds Godot projects), but there are a few minor mismatches and operational details you should be aware of before installing.
- Guidance
- This skill appears to do what it says: generate Godot 4.x projects with scenes, scripts, and components. Before installing/running it: (1) Inspect the entire clawbridge.js file for any unexpected execSync calls or commands (especially around the 'open' command) because child_process can execute shell commands. (2) Run it in a disposable directory (not your home or a repo with secrets) so generated files and any save files are isolated. (3) If you expect the tool to open the Godot editor, ensure you have the Godot binary installed locally — the skill does not declare that dependency. (4) Only install/run if you trust the publisher (source/homepage unknown). If you want higher assurance, request the full source and confirm there are no network calls, credential access, or command-injection vectors in the remaining (truncated) portions of the script.
Review Dimensions
- Purpose & Capability
- okThe name/description (Godot project generator) align with the included CLI implementation: the JS creates project folders, scenes, scripts, assets, and components as described. The skill only declares node as a required binary which matches the CLI being a Node script. Note: SKILL.md and commands include an 'open' step that likely invokes the Godot editor, but the registry metadata does not declare a dependency on a 'godot' binary — a minor mismatch to be aware of.
- Instruction Scope
- okSKILL.md instructs the agent to run local CLI commands (init, scene, script, component, open, etc.) and to generate files inside the current working directory. The runtime instructions do not request unrelated files, secrets, or external endpoints. The generated 'save' component persists to 'user://save.dat' (a Godot user save path) which writes to disk — expected for a scaffolding tool but worth noting if you run it in a sensitive directory.
- Install Mechanism
- noteNo install spec is provided (instruction-only from registry perspective), but the package includes an executable Node script (clawbridge.js). That is not necessarily malicious, but it means the CLI code is bundled and will run locally; there are no external downloads or URL-based installers in the manifest, which reduces supply-chain risk. Review the full script before executing on a machine you care about.
- Credentials
- okThe skill requests no environment variables or credentials and the code shown does not read secrets or external config paths. This is proportionate for a local project generator. The script does import child_process.execSync (used for shell operations in Node) — acceptable for invoking local tools (e.g., opening the Godot editor) but worth auditing because execSync can run arbitrary commands if fed untrusted input.
- Persistence & Privilege
- okThe skill does not request permanent/always-on privileges (always:false) and does not modify other skills or global agent configuration. It writes files into the current working directory (expected for a scaffolding CLI) but does not appear to try to persist beyond the generated project files.