Skillv1.0.0

ClawScan security

OGT Docs Create Task · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:25 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (create and manage task folders under docs/todo/) matches its instructions and it does not request unrelated credentials or install anything.
Guidance: This skill is internally consistent: it documents and automates creating/updating task folders under docs/todo/ and does not declare extra credentials or installs. Before enabling it, confirm (1) what repository/workspace the agent will operate on and that you trust that repository access, (2) whether the agent will open branches/PRs or push commits (platform-level git/API permissions may be used even though the skill doesn't declare tokens), and (3) whether you want the agent to be able to modify files autonomously — if not, require manual review of changes or limit the agent's repository permissions and test in a sandbox repo first.

Review Dimensions

Purpose & Capability: okThe name/description describe managing a docs-first task workflow and the SKILL.md provides detailed file/folder conventions and examples for creating, moving, and annotating task folders under docs/todo/. There are no requested env vars, binaries, or installs that are unrelated to that purpose.
Instruction Scope: okThe instructions focus on creating and updating files in the docs/todo/ workflow (task.md, progress.md, .verified, .assigned_to_{agent}, etc.). Example content references repository files for context (e.g., GlobalSearch.tsx), which is coherent for a docs/task workflow skill. The SKILL.md does not (in the visible excerpts) instruct reading arbitrary system files or exfiltrating data to external endpoints.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk or downloaded during install.
Credentials: noteThe skill requires no environment variables or credentials, which is consistent for a workflow that operates on repository files. Note: if the agent is expected to create remote PRs or interact with external APIs as part of the workflow, those actions would typically require platform-provided git or API credentials (not declared here); ensure the platform's permissions model, not this skill, is granting any remote access.
Persistence & Privilege: okalways:false and no special persistence is requested. The skill will operate when invoked and does not request to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but that is expected for skills of this kind.