Back to skill
Skillv1.0.0
ClawScan security
java-standards-alibaba · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 9:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Java style/enforcement skill (Alibaba guidelines) that contains only local reference files and runtime instructions and requests no credentials, binaries, or installs — its requirements match its described purpose.
- Guidance
- This skill appears coherent and self-contained: it enforces Alibaba Java guidelines using the included reference files and requires no network access, installs, or secrets. Before installing, consider: 1) the rules are strict and will activate for any Java task — ensure you want those conventions applied (they may conflict with your project's style). 2) The bundle references an origin file path (D:\ai\...), which is just provenance text; no external file access is required. 3) If you need different style rules (Google, Airbnb, company-specific), keep those tools/skills available or disable this skill when not needed. Otherwise, there are no apparent security red flags.
Review Dimensions
- Purpose & Capability
- okName/description match the content: the skill provides Java coding rules and includes many local reference docs. It does not request unrelated credentials, binaries, or system paths beyond the bundled files.
- Instruction Scope
- okSKILL.md directs the agent to read the bundled reference files and apply rules when generating/modifying Java code. It does not instruct reading external system files, contacting external endpoints, or accessing environment variables. One minor note: the README/SKILL mention an absolute Windows path (D:\ai\...) as a source reference, but that's just a provenance note and not an instruction to read that path.
- Install Mechanism
- okNo install spec and no code files that execute — instruction-only skill. Nothing is downloaded or written to disk by an installer.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The guidance is self-contained in bundled reference files, so requested access is proportional to purpose.
- Persistence & Privilege
- okalways:false and default autonomous invocation are appropriate. The skill does not request permanent elevated presence or modify other skills or system-wide configuration.