Skillv1.0.1

ClawScan security

Claude Code Setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 8:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with its stated purpose (creating a .claude/ project configuration) and do not request credentials or perform network activity — it primarily writes template files into the current project directory.
Guidance: This skill appears to do what it says: create a .claude/ directory and populate it with templates. Before running it: (1) ensure your shell's current working directory is the exact project directory you intend — running it in the wrong folder will create .claude/ there; (2) inspect index.js if you want to verify templates or behavior (it is included and easy to read); (3) you can run it without --force to avoid overwriting existing files (the script checks and skips existing files); (4) there are no network calls or credential requests, but treat any file-write operation carefully in sensitive repositories (consider running in a disposable test repo first).

Purpose & Capability: okName/description match the actual behavior: SKILL.md and index.js both set up a .claude/ directory and populate it with template files. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteRuntime instructions tell the agent to check for .claude/ and, if missing, run the bundled index.js to create templates. That is appropriate for the purpose, but the instructions and script will write files into the current working directory — the SKILL.md warns about choosing the correct project directory. Confirm you run it in the intended project to avoid accidental writes.
Install Mechanism: okNo install spec or remote downloads. The skill is instruction-only for install but includes a local index.js script (no obfuscated code or external fetch). This is low-risk compared with network installs.
Credentials: okThe skill requests no environment variables or credentials and only accesses the working directory and .claude/ path; access is proportional to its stated function.
Persistence & Privilege: okalways:false and default autonomous invocation are set. The skill does write files to the project but does not request persistent elevated privileges or modify other skills or system-wide settings.