Skillv1.0.3

ClawScan security

Module Analyzer Generate Doc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 1:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested actions and instructions are coherent with a Java/Maven single-module documentation generator; it does not request credentials or external installs and largely stays inside the expected scope of scanning source trees and writing .ai-doc outputs.
Guidance: This skill appears to do what it says: it scans a specified Java/Maven module, reads source files, and writes generated Markdown into a .ai-doc directory. Before installing/running: (1) run it against a copy or a sandboxed repository if you worry about writes; (2) confirm you are comfortable with the agent reading all project source files (it will access any files under the module path you provide); (3) the README/SKILL.md expect Python and PowerShell but the registry metadata doesn't list required binaries — ensure your runtime supports these tools or clarify with the author; (4) expect substantial model/token usage for large modules (the docs estimate high token consumption); (5) the package metadata versions differ across files (cosmetic), but there are no requested credentials or remote downloads. If you need clarification about how subagents are spawned or where exactly files will be written, ask the publisher before running on sensitive codebases.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform single-module Java/Maven analysis and its SKILL.md describes file scanning, skip rules, and generation of L3/L2 docs — all consistent with the name/description. Minor metadata mismatches: SKILL.md / README ask for Python 3.x and PowerShell >=5.1, but registry 'required binaries' is empty; package/_meta versions differ across files (1.0.0, 1.0.1, 1.0.3). These are inconsistencies in packaging/metadata but do not contradict purpose.
Instruction Scope: okRuntime instructions explicitly read source files under the provided module path, analyze content, and write generated Markdown under .ai-doc/<module>. They include PowerShell examples and describe checkpointing, retries, compression, and optional deletion only with user consent. The skill reads arbitrary project source files (expected for its purpose) and writes outputs to the project .ai-doc folder — users should be aware of local file reads/writes but there is no instruction to exfiltrate data.
Install Mechanism: okInstruction-only skill with no install spec and no downloads — lowest-risk install mechanism. The README and SKILL.md mention using Python and PowerShell and include npm package.json metadata, but there is no automated installer or remote code fetch in the skill package.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill operates on local files and state files (.generate-state.json) within the project workspace; this is proportional to its stated function.
Persistence & Privilege: noteThe skill does write output and state files into the project's .ai-doc directory and keeps checkpoint state for resume — this is appropriate for its function. It does not request 'always: true' or system-wide changes. It may spawn parallel subagents conceptually (handled by the agent runtime); users should be aware this implies multiple concurrent analysis tasks and potentially high token/model usage.