Back to skill
Skillv1.0.0
ClawScan security
Json Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 10:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (JSON validation, formatting, querying, and simple conversions) and request no extra credentials or installs.
- Guidance
- This skill appears to be what it claims: a local Python-based JSON utility. Before installing, ensure you have Python available (and install PyYAML if you need YAML conversion). Note the script will overwrite the input file by default when formatting/minifying/sorting unless you pass --output, so use copies for important files. The query implementation is a simple custom parser (not a full JSONPath engine) so complex queries may fail. Because the source/homepage is unknown, consider reviewing the included script (scripts/json_tool.py) yourself before use — it reads and writes files on your system but does not perform network I/O or access secrets.
Review Dimensions
- Purpose & Capability
- okName/description (JSON validation/format/transform) align with the included Python script and SKILL.md examples. The script implements formatting, minifying, validation, querying, key-sorting, and basic conversions (YAML/CSV) — all described in the manifest. No unrelated binaries, env vars, or services are required.
- Instruction Scope
- okSKILL.md tells the agent to run the included local script against a user-supplied file. The script only reads/writes the specified file(s) and does not attempt to read unrelated system files or environment variables, nor does it send data to external endpoints.
- Install Mechanism
- okNo install spec — instruction-only usage launching a local Python script. No network downloads or archive extraction. The script optionally imports PyYAML for YAML conversion and prints a pip install suggestion if missing; that is reasonable and documented.
- Credentials
- okNo required environment variables, credentials, or config paths. The script does not access secrets or other environment data.
- Persistence & Privilege
- okalways:false and user-invocable:true (defaults). The skill does not request persistent system presence or modify other skills or system settings. Autonomous invocation is allowed by platform default but is not coupled with elevated privileges or broad credential access.