Skillv1.0.0

ClawScan security

LYGO: Lightfather Vector — Δ9Quantum Accord · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:28 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a self-contained persona helper whose files and runtime instructions align with its described purpose; it contains no unexpected credential requests or installers, though it refers to an external verifier you may choose to install separately.
Guidance: This skill appears coherent and self-contained: it provides persona text, a canonical hash, and small local helper scripts. Before using or installing any external verifier referenced (https://clawhub.ai/DeepSeekOracle/lygo-mint-verifier), verify that URL and its project/source are trustworthy — do not paste secrets or private data into third-party minting tools. You can locally run the included scripts (python scripts/self_check.py and python scripts/show_hash.py) to validate the package and confirm the reported SHA-256 before posting any anchors. If the skill later requires network installs or environment credentials, stop and reassess — that would change the risk profile.

Review Dimensions

Purpose & Capability: okName/description (persona helper, resonance math, provenance-first) match the included files (persona_pack, equations, quotes, canon.json) and the tiny helper scripts. The skill does not request unrelated binaries, environment variables, or permissions.
Instruction Scope: noteSKILL.md confines runtime behavior to advisory actions, showing the packaged LYGO hash, and guiding the user to 'mint' packs via an external LYGO‑MINT verifier. It does not instruct the agent to read arbitrary system files or collect environment secrets, but it does reference posting/minting operations that could transmit pack text/hashes to third-party endpoints if the user follows the verifier workflow.
Install Mechanism: noteThere is no install spec (instruction-only) and included scripts operate locally — low risk. However, the docs recommend installing an external verifier at https://clawhub.ai/DeepSeekOracle/lygo-mint-verifier; that is an out-of-band third-party tool (not supplied in the bundle) and would be the only external install surface to vet before use.
Credentials: okThe skill requests no environment variables, no credentials, and its scripts only read included local files (canon.json, etc.). There are no disproportionate or unexplained secret requests.
Persistence & Privilege: okalways is false and the skill does not request persistent system presence or attempt to modify other skill configurations. Included scripts are read-only checks and a hash display; they do not persist or elevate privileges.