Skillv1.0.0

ClawScan security

AI OS Blueprint · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 10:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only audit/blueprint that is internally consistent with its stated purpose and does not request credentials, binaries, or installs.
Guidance: This is an instruction-only blueprint and appears coherent: it provides audit checklists and a rebuild plan but does not itself access your machine or credentials. Before using it: (1) do not paste secrets or API keys into chat — answer audits with descriptions rather than copy-pasting credentials; (2) be cautious about the paid upsells mentioned (e.g., MCP Server Setup Kit) — verify the vendor before purchasing or downloading anything outside this skill; (3) if you expect the skill to actually inspect files or run tooling, note that it can't do that without additional code/install instructions — any future prompts that ask you to run commands or provide credentials should be treated with care. If the author later adds install scripts, downloads, or requests environment variables, re-evaluate for proportionality and source reputation.

Purpose & Capability: okName and description claim a diagnostic blueprint and rebuild plan; the SKILL.md is an audit framework and guidance only. It does not declare or request unrelated resources (no env vars, no binaries, no installs), so the requested capabilities align with the stated purpose.
Instruction Scope: okSKILL.md contains checklists, scoring rubrics, and architectural guidance. It does not instruct the agent to read local files, access environment variables, run shell commands, or transmit data to external endpoints. To perform an audit it expects user-provided answers rather than autonomous access to system secrets.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only, which is the lowest-risk install pattern. References to separate paid kits (MCP Server Setup Kit) are marketing notes without install URLs or scripts in the skill itself.
Credentials: okThe skill requests no environment variables or credentials. It advises best practices (e.g., using a secrets manager) but does not require or access secrets itself; the declared environment footprint is proportional to the task.
Persistence & Privilege: okSkill flags show default autonomy settings but always:false and no special privileges. It does not request persistent installation or modify other skills or system configuration.