Skillv1.0.0

ClawScan security

Dependency Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 6:48 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are consistent with a dependency-audit tool — it runs local package manager audit/outdated/unused checks and suggests updates; nothing requested is disproportionate to that purpose.
Guidance: This skill appears coherent and appropriate for auditing dependencies, but it will run shell commands in your project and may suggest or execute package-manager operations that modify local state (installing audit tools, running `npm audit fix`, `npm update`, etc.). Before running: (1) review and approve generated commands rather than auto-running them; (2) prefer running in an isolated environment (container, VM, or branch) to avoid unintended changes to your system or repo; (3) be aware `npx` executes code fetched from the registry and installing tools (cargo/pip) writes to your home environment; (4) if your project uses private registries or tokens, ensure those credentials are not inadvertently exposed when running commands or when pasting outputs to external services. If you want stricter safety, run the audit manually using the commands the skill generates.

Review Dimensions

Purpose & Capability: okName and description match the runtime instructions: detecting language manifests, running audits (npm/pip/cargo/govulncheck), checking outdated packages, identifying unused deps, and creating update plans. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md instructs the agent to run shell commands in the project root (audit commands, outdated checks, depcheck, grepping source files). It also recommends installing missing audit tools (e.g., `pip install pip-audit`, `cargo install cargo-audit`) and using `npx depcheck` which fetches and executes a package. These actions are within the audit purpose but will execute code, access project files, and may change local state (installing tools, updating lockfiles if the recommended commands are run).
Install Mechanism: okThis is an instruction-only skill with no install spec or shipped code. The SKILL.md recommends using standard package managers to install audit tooling if absent; that's expected for this functionality and there is no embedded arbitrary download URL or extractor in the skill itself.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The commands may interact with package registries and local configs (e.g., npm registry settings), but the skill does not declare or demand any secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide privileges. The instructions may cause the user to install CLI tools into their environment if they follow them, but the skill itself does not install or persist code on the agent platform.