Skillv1.0.0

ClawScan security

Text Compressor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 9:14 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions match its stated purpose (compress/decompress text) and request no credentials or installs; minor oddities (packaging helper files with absolute local paths) are present but not inconsistent with the skill's function.
Guidance: The compressor tool itself appears benign and self-contained. Before installing or running: (1) inspect and avoid executing pack.py or package_manual.py unless you understand and expect packaging behavior—their hard-coded absolute paths suggest they were used by the author locally and could behave unexpectedly on your machine; (2) note that higher compression levels perform lossy/approximate abbreviations (e.g., replacing 'password' with 'pwd'), and decompression is imperfect—do not use on data where exact fidelity or sensitive semantics matter without verification; (3) run the script in a sandbox or with non-sensitive sample files first to verify behavior; and (4) if you plan to include this skill in automated workflows, remove or ignore the packaging helper scripts or request a cleaned package from the author.

Purpose & Capability: okName, description, SKILL.md, and scripts/compress.py align: the code implements whitespace normalization and phrase/word abbreviation and a CLI for compress/decompress. No unrelated credentials, binaries, or external services are required.
Instruction Scope: noteSKILL.md instructs only running scripts/compress.py with local files, which is scoped to the stated purpose. However, the repository also includes packaging helper scripts (pack.py, package_manual.py) that reference absolute local paths; these are not referenced by SKILL.md and are extraneous to runtime usage.
Install Mechanism: okNo install spec and no network downloads. The skill is instruction-only for runtime use and ships Python scripts only—no installers or remote fetches.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate. Minor concern: pack.py and package_manual.py contain hard-coded Windows paths into a user's workspace (e.g., C:\Users\funky\...). These are likely leftover packaging artifacts and not required by the compressor itself.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, and has no install step that would persist beyond its files. Normal user-invocable behavior.