Skillv1.1.1

ClawScan security

Sui Coverage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:23 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and required tools are consistent with a coverage-analysis helper for Sui Move; it requires the Sui CLI and Python and contains only local parsing scripts that analyze coverage output (no network exfiltration or unrelated credentials requested).
Guidance: This skill is internally consistent with a Sui Move coverage helper: it expects you to run 'sui move test --coverage' and then runs local Python parsers to analyze colored coverage output or LCOV files. Before installing or invoking the skill, consider: - Trust the repository: the scripts will execute the 'sui' CLI and will read your package sources and coverage outputs. Running tests will execute code in the target Move package, so only run against trusted code or in a sandbox. - Review the bundled scripts (they are small, local Python files) if you want certainty; they do not perform network calls, require secrets, or auto-write tests. - The description mentions 'security audits' but the supplied code only generates coverage-based suggestions and does light pattern inspection; it does not replace a dedicated security audit tool. - Because the skill invokes the Sui CLI (os.execvp/PTY usage), ensure your environment has the intended version of 'sui' and that you understand the effects of running package tests. If you need automated test generation or deep security analysis, ask for clarification from the author or use dedicated tooling. Otherwise this skill appears coherent and low risk for use in a development sandbox.

Review Dimensions

Purpose & Capability: noteName and description claim coverage analysis, test-writing guidance, and 'security audits'. The included Python tools clearly perform LCOV/source/bytecode parsing and generate suggestions for missing tests — they do not automatically write tests or perform deep automated security audits. This is a minor overstatement in the description but not an incoherence.
Instruction Scope: okSKILL.md instructs running 'sui move test --coverage --trace' and then the provided Python scripts to analyze coverage output. The scripts read coverage output (stdin or lcov files) and optionally read local source files for context; they do not attempt to fetch external data, read arbitrary system config, or access environment variables beyond standard process usage. Running the 'sui' CLI and tests executes code in the target package (expected for coverage analysis) — users should only run against trusted code.
Install Mechanism: okInstruction-only skill with bundled scripts; no install spec, no downloads, and no archive extraction. Risk is low because nothing is automatically fetched or written to disk by an installer.
Credentials: okRequires python3 and the 'sui' binary (declared). No environment variables, credentials, or config paths are requested. The scripts may read local source files and coverage outputs (expected for their purpose).
Persistence & Privilege: okThe skill is not marked always:true and does not request permanent platform-level privileges. It does spawn subprocesses (execvp) to run the 'sui' CLI to capture colored output — this is necessary for its functionality but means it will execute the Sui tool in the agent's environment when invoked.