Back to skill
Skillv1.0.0
ClawScan security
Mv Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 6:20 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a small, local file-move utility whose code matches the stated purpose; it contains a minor mismatch between the documentation and the actual script but shows no signs of exfiltration or unrelated capabilities.
- Guidance
- This is a minimal, local file-move tool: the Python script simply calls shutil.move on the two provided paths and does not contact any network services or read secrets. However, the SKILL.md overstates functionality (it lists -i/-f/-v and interactive/batch features that the script does not implement). Before installing or enabling autonomous use, review and test the script in a safe directory (to avoid accidental data loss), and confirm you trust the skill owner/source. If you need overwrite prompts, dry-run, or more robust argument parsing, request or implement those features explicitly. If you are concerned about an agent invoking moves automatically, avoid enabling autonomous invocation or constrain the agent's permissions/sandbox to prevent accidental file changes.
Review Dimensions
- Purpose & Capability
- okName, description, and included Python script all describe moving/renaming files. The skill requests no credentials, no unusual binaries, and no config paths — all proportional to a file-move tool.
- Instruction Scope
- concernSKILL.md advertises options (-i, -f, -v), batch operations, and interactive mode, but the included scripts/mv.py only accepts two positional arguments (src and dst) and does not implement flags, explicit overwrite handling, or interactive prompting. Shell glob examples (e.g., *.log) may work by shell expansion, but the documented options are not implemented.
- Install Mechanism
- okNo install spec (instruction-only + small script). Nothing is downloaded or written to disk by an installer; lowest install risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested or used. This is proportionate for a local move/rename utility.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent presence or elevated privileges. Note: the agent can invoke it autonomously by default — normal for skills but relevant because the skill performs destructive file operations.