Back to skill
Skillv1.0.0
ClawScan security
cn-diff-checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 3:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is a small, self-contained Python text-diff tool whose code and runtime instructions match the stated purpose and request no secrets or external installs.
- Guidance
- This skill appears to do exactly what it says: run a local Python difflib-based comparison on two inputs. Before using it, note: (1) it will open any file path you pass, so don't give it paths to sensitive files you don't want displayed; (2) the --output flag is declared but the script does not implement writing output to a file (minor inconsistency); (3) it has no network behavior and requests no credentials. If you plan to allow autonomous agent invocation, be aware the agent could call the skill with arbitrary local paths — restrict that if you don't want automated scans of local files. If you want extra assurance, run the included script in a sandbox or inspect/execute it locally first.
Review Dimensions
- Purpose & Capability
- okThe name/description (text difference checker) matches the included script and SKILL.md. The skill requires no credentials or extra binaries and only reads the two inputs the user supplies (strings or file paths), which is appropriate for a diff tool.
- Instruction Scope
- okSKILL.md instructs the agent to run the included Python script with two inputs and optional flags. The script only reads either the provided string arguments or files at the provided paths and performs difflib-based comparisons; it does not access other system state, network endpoints, or environment variables.
- Install Mechanism
- okThere is no install spec and the tool uses only Python standard library. No downloads or external packages are requested, so there is no install-time risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The code does not read environment variables; this is proportionate to its function.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify persistent agent settings. It will run only when invoked and does not request elevated or persistent privileges.