Back to skill
Skillv0.1.0
ClawScan security
Musify MooreThreads · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 3:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only guide for a text-based CUDA→MUSA conversion tool and its requirements and actions are consistent with that purpose.
- Guidance
- This SKILL.md is coherent with a code-migration tool, but take these precautions before running it: 1) Do a full backup or ensure version control before using --inplace; prefer --create or printing to stdout for an initial pass. 2) Verify the origin of musify-text and the ahocorapy package (install from official MooreThreads releases or the project's GitHub, not a similarly named pip package). 3) Test conversion on a small subset of files and run the MUSA compiler/tests before committing changes. 4) Avoid running automated bulk commands (find/rg piped into --inplace) until you're confident the mappings and exclusion markers behave as expected.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md documents running a musify-text conversion tool over CUDA source files and contains expected options and mappings. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- noteInstructions remain within the conversion task (running musify-text, finding source files, options, exclusion markers). They explicitly include in-place modification operations and batch file selection (find/rg), which is appropriate for a migration tool but increases risk to source if run without backups or vetting. The doc advises backing up code; it does not instruct reading or exfiltrating unrelated system files or credentials.
- Install Mechanism
- noteThere is no automated install spec in the skill (instruction-only), which limits what is written to disk. The doc suggests pip install ahocorapy and that musify-text should come from the MUSA toolkit; pip-installing introduces normal package-source risk (typo-squatting or malicious package) but that is expected for a tool relying on Python packages.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The declared requirements map cleanly to the tool's stated functionality.
- Persistence & Privilege
- okSkill is not marked always:true and is user-invocable only. It does not request persistent platform-wide access or modify other skills' configurations.