Skillv2.0.6

ClawScan security

FOSMVVM React View Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 14, 2026, 4:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are internally consistent with its stated purpose of generating FOSMVVM-based React view components; it is an instruction-only generator that doesn't request credentials, installs, or unrelated system access.
Guidance: This skill appears to be exactly a template-based generator for FOSMVVM React view components and is internally consistent. Before installing or using it: 1) Confirm your project actually uses the global FOSMVVM runtime (script tag / WASM bridge) because generated components rely on FOSMVVM on the global namespace. 2) Review generated files before committing — these are templates and may need adapting to your codebase (naming, imports, routing). 3) Avoid pasting secrets or sensitive configuration into the conversation or spec files you provide as input; the skill uses conversational/spec context to generate code. 4) Because this is an instruction-only skill, it won't install binaries or ask for credentials, but inspect generated outputs and run your test suite locally to validate behavior.

Review Dimensions

Purpose & Capability: okName/description (generate React components for FOSMVVM ViewModels) lines up with the SKILL.md and reference templates. The skill does not request unrelated binaries, environment variables, or config paths. All required artifacts (tests, .jsx/.test templates, use of global FOSMVVM) are coherent with the described purpose.
Instruction Scope: noteSKILL.md instructs the agent to generate test files first and then component files using provided templates and conversational context. It does not instruct reading arbitrary system files or accessing credentials. Two minor notes: (1) the doc repeatedly says the generator is "context-aware" and may reference conversation-provided specification files — if you paste private data/specs into the conversation that data will be used in generation, so avoid sharing secrets in chat; (2) the skill assumes FOSMVVM utilities are available on the global namespace (script tag / WASM bridge), so generated code will depend on that runtime.
Install Mechanism: okInstruction-only skill with no install spec and no code files to write during install — lowest-risk category. Nothing is downloaded or executed during installation.
Credentials: okNo environment variables, credentials, or config paths are requested. Templates reference global FOSMVVM at runtime (a runtime dependency, not an env secret), which is reasonable for this generator.
Persistence & Privilege: okalways is false and the skill does not request persistent system configuration or elevated privileges. Autonomous invocation is allowed by default but that is normal for skills; there is no sign of this skill attempting to modify other skills or system-wide settings.