Skillv2.1.1

ClawScan security

Init · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 10:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This instruction-only onboarding skill is internally consistent with its stated purpose: it asks the user questions and writes human-readable config/manifest files into the home and project directories, and it does not request unrelated credentials or install external code.
Guidance: This skill appears to do what it says: it will prompt you and write human-readable config and manifest files to ~/.solo-factory/defaults.yaml and a .solo/ folder in the chosen project. Before running: 1) Back up any existing ~/.solo-factory/defaults.yaml or .solo/ you care about (the skill can overwrite these if you choose "Reconfigure from scratch"). 2) Be aware the skill will search parent directories for a templates/ directory — if you keep sensitive files nearby, know the agent may read them while looking for templates. 3) The skill suggests optional checks (like uvx solograph) but does not require installing external software. 4) If you are on a shared machine, review the generated files after running to confirm no unexpected content was written. Overall, this skill is coherent and proportional to its stated onboarding purpose.

Review Dimensions

Purpose & Capability: okName/description (founder onboarding, generate manifest, STREAM calibration, dev principles, stacks) aligns with required actions: reading/writing ~/.solo-factory/defaults.yaml and .solo/ in the project, prompting the user, and copying/generating templates. No unrelated environment variables, binaries, or external credentials are requested.
Instruction Scope: noteSKILL.md instructs the agent to read/write files under the user's home and project (~/ .solo-factory/defaults.yaml and .solo/), prompt the user with AskUserQuestion, search for templates (traverse up to find solo-factory/templates/), and generate files from either found templates or inline defaults. These are appropriate for onboarding but worth noting: the file-search step could traverse parent directories to locate a templates/ directory (reads filesystem beyond the project directory). The skill also suggests running or checking for optional tooling (uvx solograph), but that is only a non-mandatory check. Instructions are otherwise scoped to config/template generation and user prompts.
Install Mechanism: okNo install spec and no code files — instruction-only skill. That is the lowest-risk model: nothing is downloaded or extracted to disk by an installer. The skill's behavior will be limited to the allowed tools and the file operations described in SKILL.md.
Credentials: okThe skill requires no environment variables, credentials, or special config paths beyond writing to ~/.solo-factory and the project .solo/ directory. No secrets or unrelated tokens are requested. The absence of primaryEnv and requires.env is proportional to the described functionality.
Persistence & Privilege: okalways:false (normal), user-invocable:true. The skill writes files within the user's home and project directories (expected for an initializer). It does not attempt to modify other skills or global agent configuration. Behavior is limited to its own files.