Back to skill
Skillv1.0.0
ClawScan security
Psd Automator Skill Command · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 3:45 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only skill that documents a command wrapper for an existing PSD orchestrator; it doesn't request extra credentials or install anything and is internally consistent with its stated purpose.
- Guidance
- This skill is an instruction-only wrapper that expects an external psd-automator core/tool (psd_automator_skill_command) to exist; the skill bundle itself does not install code or request secrets. Before installing or enabling it, confirm that: (1) the platform actually provides/links to the psd-automator implementation (inspect that tool's code or provenance), (2) you trust that tool to read any file paths you pass (taskJsonPath) and to handle PSD contents safely, and (3) you are ok with usage-statistics metadata being flagged as entrypoint=skill_command (the SKILL.md references a shared stats store but does not say where). If you need stronger guarantees, review the implementation of the psd_automator_skill_command tool and the PSD orchestrator it reuses before granting runtime permissions.
Review Dimensions
- Purpose & Capability
- okThe name and description claim to dispatch PSD automation via an existing /psd orchestrator; the SKILL.md only documents a wrapper command and does not request unrelated credentials, binaries, or config paths. All declared requirements (none) align with that purpose.
- Instruction Scope
- noteSKILL.md provides only command metadata and usage examples. It does accept a <taskJsonPath> or free-text task description and documents reusing the existing pipeline; the file-path argument implies the underlying psd_automator_skill_command tool (not included here) may read local files. The skill's instructions do not themselves direct the agent to read unrelated system files or external endpoints.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only), so nothing is written to disk by the skill bundle itself.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. That matches the simple command-wrapper purpose.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent presence or system-wide configuration changes in the provided metadata.