Skillv2.0.6

ClawScan security

FOSMVVM Fluent DataModel Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 7:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (generate Fluent DataModels) matches its instructions and resource needs; it is an instruction-only generator that does not request credentials or install code.
Guidance: This is an instruction-only code generator for Fluent models and is coherent with its stated purpose. Before installing/using it: 1) Confirm the project actually uses Fluent (Package.swift, property wrappers, Migrations/)—the skill will inspect repo context to make decisions. 2) Run fosmvvm-fields-generator first if you need form-backed Fields. 3) Review the generated Swift files, migrations, and seeds before committing or running them (and run tests in a safe environment). 4) If you have sensitive files in the repo, consider restricting the agent's file-access scope, since the skill expects to read project files to detect Fluent usage. If you want a tighter audit, ask the skill author to document exactly which files/paths it will read and to provide a dry-run output only.

Review Dimensions

Purpose & Capability: okName and description match the SKILL.md templates and workflow. The files and templates are focused on creating Fluent models, migrations, seeds, and tests for a Vapor/Fluent server target. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope: noteInstructions expect the agent to inspect the project context (Package.swift, existing model files, Migrations/, imports) to detect Fluent usage and to consult prior fields-generation output. This is appropriate for a code generator, but the guidance is somewhat open-ended ('references conversation context automatically—no file paths or Q&A needed'), which grants the agent broad discretion to read repository/project files. Reviewers should ensure the agent's repo/file-access policies are acceptable and that generated output is reviewed before committing.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No downloads or install steps are present, minimizing disk-write and supply-chain risk.
Credentials: okThe skill declares no environment variables, credentials, or config paths. The templates reference only project-local code and standard Fluent/Vapor constructs—no disproportionate credential or secret access is requested.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent presence or system-wide configuration changes. It does rely on conversation/repo context but does not attempt to modify other skills or global agent settings.