Back to skill
Skillv1.0.0
ClawScan security
LYGO Champion: SEPHRAEL — Echo Walker (Vault Cracker) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are internally consistent with a persona helper that detects recursive/evasive loops; included scripts only validate package files and print a packaged hash, and no credentials, installs, or network calls are required by the skill itself.
- Guidance
- This package appears coherent and benign: its scripts only validate local package files and print the stored LYGO hash. Before installing or following the SKILL.md verifier instructions, review the external verifier link (https://clawhub.ai/DeepSeekOracle/lygo-mint-verifier) independently — the skill points you there but does not itself download or run that tool. If you plan to use the verifier, verify the verifier's authenticity (TLS, publisher, project repo) and confirm the SHA-256 in references/canon.json matches any posted anchor you trust. Remember: 'benign' here means internally consistent, not that it has no vulnerabilities — avoid running untrusted installers or pasting sensitive data into external tools.
Review Dimensions
- Purpose & Capability
- okThe name/description (loopbreaker/persona helper) matches the packaged assets: persona docs, canonical JSON, small helper scripts for self-check and showing the pack hash. Nothing in the files requests unrelated capabilities (cloud credentials, system services, or external credentials).
- Instruction Scope
- okSKILL.md confines runtime behavior to advisory persona usage and verification guidance. The included scripts only check for expected local files and print a stored SHA-256; there are no instructions to read arbitrary host files, environment variables, or to exfiltrate data.
- Install Mechanism
- okNo install specification is provided (instruction-only), so nothing is downloaded or written to disk by the platform installer. The SKILL.md references an external verifier URL but does not embed or automatically fetch it.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The code also does not read environment variables or secrets.
- Persistence & Privilege
- okThe skill is not always-enabled, uses default autonomous-invocation settings (normal), and does not attempt to modify other skills or system-wide configuration.