Back to skill
Skillv1.0.0
ClawScan security
Release Gate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 5:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and resource needs are consistent with a deployment sign-off and logging helper; nothing requested is disproportionate to its described purpose.
- Guidance
- This skill appears coherent for enforcing checklist-based deploy gates and logging decisions. Before installing, verify: (1) your agents actually run the verification steps (tests, schema checks, security scans) rather than just calling run_release_gate with assumed PASS values; (2) the log file path you supply is writable only by intended principals and is stored/rotated securely (avoid exposing sensitive data in logs); (3) integrate the gate as a hard pre-deploy hook (raise/abort on failures) so it cannot be trivially bypassed. Review the provided scripts/release_gate.py yourself — it's small and stdlib-only — to ensure its behavior meets your operational and audit requirements.
Review Dimensions
- Purpose & Capability
- okName/description match the provided SKILL.md and the included Python helper. The skill asks for no credentials, binaries, or installs, and only performs checklist evaluation and logfile appends — all coherent with a release-gate utility.
- Instruction Scope
- noteSKILL.md stays within deployment gating: templates, checklist guidance, and instructions to log decisions. It does allow agents to call run_release_gate with pre-validated checklists (the function assumes items passed by the caller), which could be misused if an agent logs APPROVED without performing verification. The guidance to write logs to arbitrary paths (e.g., /opt/myapp/logs/deployments.log) is expected but requires the integrator to ensure appropriate permissions and protections.
- Install Mechanism
- okNo install spec (instruction-only) and the single included Python file uses only the stdlib. Nothing is downloaded or extracted; no external package installs are required.
- Credentials
- okThe skill requests no environment variables or credentials. Its only external interaction is writing/appending to a specified log file path, which is appropriate for audit logging but should be constrained by file permissions in deployment.
- Persistence & Privilege
- okThe skill is not always-enabled and does not modify other skills or system-wide agent settings. It does create directories and write logs when used, which is normal for a logging helper.