Back to skill
Skillv1.0.2
ClawScan security
LYGO Champion COSMARA · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 1:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, roleplay-focused skill whose requested surface (no env vars, no installs, no binaries) matches its stated purpose of providing an ethics-minded exploration persona.
- Guidance
- This skill is a persona/instruction bundle (no code, no installs, no secrets). It's internally consistent: it tells the agent how to speak, what canon to use, and suggests optionally saving a local anchor file. Before enabling: decide whether the agent should be allowed network access (it may fetch or cite the external X links or lore) and whether you are comfortable with it creating files under a local champions/ path. If you want tighter control, disable network access for the agent and/or restrict file writes, or inspect any anchor files the agent creates for sensitive content. Otherwise the skill does not request surprising permissions or credentials.
Review Dimensions
- Purpose & Capability
- okThe skill is a persona/creative guideline for an 'ethical cosmic explorer' and does not request credentials, binaries, or installs beyond what that role would need. Suggested local anchoring (saving a COSMARA.json) is consistent with provenance/anchoring claims.
- Instruction Scope
- noteSKILL.md instructs the agent to adopt a specific voice, reference Eternal Haven canon, label speculation vs canon, and optionally save a local anchor file under champions/COSMARA/. These are within the skill's remit. Note: the guidance references external public links and lore resources — the agent may fetch or cite those if it has network access, so consider whether you want it to reach outside sources.
- Install Mechanism
- okNo install spec or code files are present; nothing will be written to disk by an installer. Low installation risk.
- Credentials
- okThe skill requests no environment variables, credentials, or system config paths. No disproportionate secret access is requested.
- Persistence & Privilege
- okalways is false and model invocation is enabled by default — normal for skills. The skill's instructions suggest creating local anchor files but do not request elevated or cross-skill privileges.