Skillv1.0.0

ClawScan security

Project Summary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 15, 2026, 6:49 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that reads project files and runs local shell commands to produce a codebase summary; its requests and actions align with its stated purpose and it does not ask for credentials or install software.
Guidance: This skill is coherent and lightweight: it simply inspects files in a repository to produce a summary and does not request credentials or install anything. Before running it, ensure the repository doesn't contain secrets or private credentials you don't want inspected or summarized (for example .env files or keys committed to the repo). Review the generated summary before sharing it externally. If you rely on a private framework-detection table referenced in the doc ('readme-generator'), ask where that logic lives if you need exact framework-matching behavior.

Review Dimensions

Purpose & Capability: okThe name/description match the runtime instructions: the SKILL.md describes scanning repository manifests, configs, source directories, CI files, and tests to produce a summary. It declares no binaries, env vars, or installs that would be unrelated to summarizing a codebase.
Instruction Scope: noteThe instructions direct the agent to read many repo files and to run local shell commands (find, grep, sed, ls, PowerShell equivalents) which is appropriate for codebase analysis. It does not instruct data transmission to external endpoints. Caution: reading the whole repository can surface secrets or sensitive files if present; the skill notes skip patterns for common generated dirs but will still read root and config files (CI, Dockerfile, etc.). It also references an external 'readme-generator' skill for framework detection, which is an external dependency in logic but not code.
Install Mechanism: okNo install spec and no code files are present (instruction-only). Nothing is written to disk or downloaded by the skill itself, which minimizes install-time risk.
Credentials: okThe skill requires no environment variables, credentials, or config paths. Its only I/O is reading repository files and running local inspection commands, which is proportionate to the stated goal.
Persistence & Privilege: okalways:false and there are no instructions to modify agent or system configuration. The skill can be invoked autonomously by agents (platform default) but that is not combined here with additional privileges or credential access.