Back to skill
Skillv0.1.0
ClawScan security
Subagent Driven Development · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 8:39 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and intended behavior are internally consistent with a workflow for spawning per-task subagents and multi-stage review; it asks for nothing unusual, but it references local prompt files and external tooling that you should verify before use.
- Guidance
- This skill is instruction-only and looks coherent for orchestrating per-task subagents. Before enabling it: (1) confirm the referenced prompt files (./implementer-prompt.md, ./verification-prompt.md, etc.) exist and contain safe, intended prompts; (2) verify what 'TodoWrite' and 'superpowers:finishing-a-development-branch' refer to and whether they interact with external services or repos; (3) avoid providing sensitive secrets or workspace state in sessions where the skill will spawn reviewers you don't control; and (4) test in a sandboxed session to ensure the subagent dispatch behavior matches your expectations.
Review Dimensions
- Purpose & Capability
- okName/description (subagent-driven development) align with the SKILL.md: it describes dispatching implementer/verification/reviewer subagents, independent verification, and failure recovery. There are no requested binaries, env vars, or credentials that contradict the stated purpose.
- Instruction Scope
- noteSKILL.md stays within the development workflow but references local files (./implementer-prompt.md, ./verification-prompt.md, ./fix-subagent-prompt.md) and integration points (TodoWrite, superpowers:finishing-a-development-branch) that are not included in the manifest. The instructions direct the agent to read the session plan and spawn subagents, but they do not ask for unrelated system files or credentials.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing will be downloaded or written by an installer.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill's scope does not request secrets or access beyond the current session context.
- Persistence & Privilege
- okalways:false (not force-included). The skill is user-invocable and may be autonomously invoked by the agent (default), which is expected behavior and not excessive here. It does not request system-wide changes or other skills' configs.