Back to skill
Skillv1.0.0
ClawScan security
Sillytavern Charactecard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:50 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (importing, parsing, converting, and exporting SillyTavern character cards) and do not request unrelated credentials, network access, or privileged system modifications.
- Guidance
- This skill appears coherent and focused on SillyTavern character-card handling and does not ask for credentials or network access. Before installing, review the full utils.js file (the listing provided here is truncated) to confirm there are no hidden network calls, child_process usage, or arbitrary file writes in the remaining code. As a general precaution, only use the skill with character files you trust or test with sample inputs, since parsing malformed images/JSON could trigger runtime errors. If you plan to run this in a sensitive environment, run it in a sandbox or inspect the entire codebase first.
Review Dimensions
- Purpose & Capability
- okName/description describe SillyTavern character-card import/export and the included utils.js implements PNG/JSON detection, extraction, normalization, validation, and embedding—functionality coherent with the stated purpose. Required binaries/env/config are none, which is appropriate.
- Instruction Scope
- okSKILL.md instructs the agent to read user-provided files, detect format, extract/validate data, display info, and produce files—all within the expected scope. It does not instruct reading unrelated system files or sending data to external endpoints.
- Install Mechanism
- okNo install spec; the skill is instruction+utility code only. The bundled utils.js uses standard Node built-ins (fs, path, crypto). There are no downloads, package installs, or external sources in the provided files.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The code shown does not reference process.env or external tokens and only operates on buffers/files supplied by the user.
- Persistence & Privilege
- okalways is false and the skill does not request permanent presence or modify other skills/system-wide settings. Autonomous invocation is allowed (platform default) but not combined with elevated privileges.