Skillv0.1.0

ClawScan security

Presale Service Bootstrap · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 22, 2026, 5:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only scaffolding skill whose requests and instructions are consistent with its stated purpose; no credentials, installs, or hidden code are present — but double-check the referenced PowerShell scaffold script if you plan to execute it.
Guidance: This skill is instruction-only and appears coherent for bootstrapping documentation, configs, and readiness artifacts. Before running any recommended scripts: (1) confirm whether tools/new-presale-service.ps1 exists — the package you provided does not include it; (2) if the script is present, open and review its contents to ensure it does not perform network calls, credential access, or modify system-wide files; (3) run any untrusted script in an isolated environment (container or disposable VM) and ensure PowerShell is the intended runner; (4) if you plan to allow autonomous invocation, remember the agent could run the scaffold steps without per-run approval, so only enable that after you trust the script and instructions.

Review Dimensions

Purpose & Capability: okThe skill's name and description describe scaffolding a presale service; the SKILL.md and the two reference docs strictly instruct creating docs, configs, plans, readiness checks, and repo structure. There are no unrelated environment variables, binaries, or install steps requested, so the declared purpose aligns with the actual requirements.
Instruction Scope: noteThe runtime instructions stay within scaffolding/documentation generation scope (creating docs/, config/, plans, readiness checklist, etc.). They do, however, recommend running tools/new-presale-service.ps1 'from this skill pack' — but that file is not present in the package listing. If a scaffold script is later provided, inspect it before running because instruction-only skills rely on the agent executing commands you might not expect.
Install Mechanism: noteNo install spec is present (lowest-risk form). Minor inconsistency: the SKILL.md recommends running a PowerShell script, but the skill does not declare any required binaries (e.g., PowerShell) nor include that script in the manifest. This is an implementation gap rather than an active install risk in the current package.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. That matches its stated purpose of local repo scaffolding and documentation creation; nothing appears disproportionate.
Persistence & Privilege: okalways is false, and the skill is user-invocable only. There is no install or code that would persist or elevate privileges. Autonomous invocation is allowed by platform default but is not combined here with broad permissions or credentials.