Back to skill
Skillv0.1.0
ClawScan security
Academic Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its LaTeX-writing purpose and don't request unrelated credentials or exotic installs, but the SKILL.md and repository metadata are slightly inconsistent and the skill requires shell execution and large system packages (TeX) which you should approve explicitly.
- Guidance
- This skill appears to do what it says: scan templates, read user reference files, write .tex/.bib, and compile with latexmk. Before installing, verify you trust the skill owner (source unknown) because SKILL.md allows shell execution and asks you to run sudo apt-get to install a large TeX distribution. Check the small script (scripts/writer_tools.py) yourself — it only reads/writes local files and runs latexmk/which — and confirm you are comfortable giving the skill permission to run shell commands and to read files in the working directory. Also request that the publisher update registry metadata to list required binaries (python3, latexmk/TeX Live) and the PYTHON_CMD env so capability/requirements are consistent.
Review Dimensions
- Purpose & Capability
- noteThe name/description (LaTeX writer, template scanning, reading notes, writing .tex, compiling PDFs) align with the included Python tool and SKILL.md workflows. However, the registry metadata lists no required binaries/envs while SKILL.md explicitly requires python3, latexmk/TeX Live and sets a PYTHON_CMD env — a metadata omission that should have been declared.
- Instruction Scope
- okSKILL.md tools and logic are scoped to scanning the current directory for .tex/.bib, reading user-supplied reference files (docx/txt/tex/md), writing/append .tex/.bib, and invoking latexmk to compile. There are no instructions to read or transmit unrelated secrets or to contact external endpoints. The skill does request shell:exec (to run system commands) which is necessary for compilation but is a powerful permission the user must accept.
- Install Mechanism
- okNo install spec is provided (instruction-only), and the included Python script is small and readable. The SKILL.md recommends installing texlive-full and python-docx via apt/pip — these are expected for full LaTeX compilation. There is no download-from-URL or extract operation in the install process.
- Credentials
- noteThe skill does not request credentials or secret env vars (good). It does define a runtime env var PYTHON_CMD and requires system tools (python3, latexmk). Those runtime requirements are reasonable for the stated purpose but they are not reflected in the registry 'requirements' section — an inconsistency you should be aware of.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistent privileges. It asks the user to create a venv in the skill directory and to install system packages (sudo apt-get) — normal for LaTeX workflows. The SKILL.md's shell execution permission allows running compilation commands; that is necessary but gives the skill the ability to run arbitrary shell commands if misused.