Back to skill
Skillv1.0.0
ClawScan security
Hexdump Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 9:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a simple local hexdump utility whose code and instructions match its stated purpose and which does not request credentials, network access, or unusual system privileges.
- Guidance
- This skill appears coherent and locally scoped: it reads a file or stdin and prints a hex/ASCII dump. Before running, review the bundled script if you can (it's short and readable). Note the SKILL.md mentions colorized output which the script doesn't implement, and invalid hex input to the decode option can raise an exception. Because the source/owner are unknown, run the tool on non-sensitive data or in a sandbox if you are uncomfortable, and ensure you invoke the script explicitly (python scripts/hexdump.py ...) rather than assuming it was installed system-wide.
Review Dimensions
- Purpose & Capability
- okThe name/description (hex + ASCII file viewer) match the included Python tool. The SKILL.md usage aligns with the script's CLI options (file/stdin, length, offset, encode/decode). There is a minor mismatch: SKILL.md advertises colorized output and configurable byte grouping but the provided script prints plain text and does not implement color or grouping controls.
- Instruction Scope
- okRuntime instructions and the script only read the provided file or stdin and perform local string/hex conversions. There are no references to external endpoints, unrelated files, or environment variables. Note: the script does not catch errors from bytes.fromhex()/decode(), so malformed input could raise exceptions; this is a robustness issue, not malicious behavior.
- Install Mechanism
- okThere is no install specification (instruction-only). The code file is bundled with the skill and would run locally; nothing is downloaded from external URLs and no archives are extracted.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths — consistent with its purpose.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-wide privileges or attempt to modify other skills or agent configuration.