Skillv2.0.0

ClawScan security

Ifc Data Extraction · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 13, 2026, 5:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (IFC/BIM data extraction) matches its instructions and requested filesystem access; there are no unexplained credentials, network endpoints, or install downloads in the bundle.
Guidance: This skill appears coherent and focused on local IFC/BIM data extraction. Before installing or running it, ensure: (1) you are comfortable granting filesystem access (it will read .ifc files and write exports); (2) your environment has IfcOpenShell and required Python packages installed from trusted sources (the package is non-trivial to build on some systems); (3) you only run it on IFC files you trust (large models may be resource-intensive). If you need the agent to auto-install missing Python packages, review and control any pip/install commands and their sources. Otherwise the skill itself does not request credentials or network endpoints and matches its stated purpose.

Purpose & Capability: okName/description, instructions.md, and SKILL.md all describe IFC parsing via IfcOpenShell and extracting element/property/quantity data. The declared filesystem permission is appropriate for reading .ifc files and writing exports. Nothing requested appears unrelated to IFC extraction.
Instruction Scope: okRuntime instructions only reference opening an IFC file, traversing IFC entities, extracting property sets and quantities, and exporting results (CSV/Excel/JSON/DataFrame). The docs explicitly state no network access is required and do not instruct reading unrelated files, environment variables, or posting data externally.
Install Mechanism: noteThis is an instruction-only skill with no install spec. It expects IfcOpenShell and pandas to be available in the environment but does not provide or declare an installer. That is not malicious but may lead the agent or integrator to install Python packages manually (or via pip) before use—consider validating the source and method you use to install IfcOpenShell.
Credentials: okNo credentials, environment variables, or config paths are requested. The only declared permission is filesystem access, which is appropriate and proportionate for reading IFC files and writing exports.
Persistence & Privilege: okalways:false and user-invocable:true (normal). The skill does not request elevated or persistent platform privileges and does not modify other skills or global agent settings.