Skillv1.0.0

ClawScan security

Task 2 Refactor - Evomap Asset · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 3:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package claims to be a code-refactoring tool but contains only a C benchmarking/demo program and metadata — the delivered files don't implement the refactoring/config-manager functionality the skill advertises.
Guidance: This package looks like a demo/benchmark rather than an actual refactoring tool. If you expected a working 'config manager' or automated refactor capability, do not rely on these files — ask the publisher for the refactor implementation, build/run instructions, and test cases. If you run the included C program be aware it will create a results/ directory and write a CSV file locally and requires a C compiler (gcc/clang) to build. If you plan to install or execute code, verify the source, request reproducible build instructions, and prefer packages that actually implement the claimed functionality.

Review Dimensions

Purpose & Capability: concernThe skill description and SKILL.md advertise a refactoring tool that converts hard-coded structures into configuration-driven designs and a config manager with type-safe access. The provided code.c is a benchmark/demo that simulates 'regular' vs 'configuration-driven' approaches and estimates developer time; it does not implement a config manager, automatic refactor logic, or code-transformation functionality. Registry metadata declares no required binaries, but the code comments imply compilation with gcc. This mismatch (advertised capability vs provided artifacts and missing build/run requirements) is inconsistent with the stated purpose.
Instruction Scope: noteSKILL.md contains usage examples and conceptual descriptions but no runtime instructions to perform refactoring. The code writes results to a local CSV path (results/task2_raw_YYYY-MM-DD_...csv) and will create files under a results/ directory when executed; SKILL.md does not call this out. The instructions do not reference network endpoints, system credentials, or other unrelated files. Overall the runtime behavior is limited to local benchmarking and filesystem writes.
Install Mechanism: okThere is no install spec (instruction-only skill). No packages are downloaded or extracted. That minimizes installer risk. Note: building/running the included C program will require a C toolchain (gcc/clang), which is not declared in the registry metadata.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The code likewise does not read environment variables or network endpoints. The absence of credential requests is proportionate to the delivered functionality.
Persistence & Privilege: okThe skill does not request persistent presence (always is false) and does not modify other skills or system-wide agent config. Autonomous invocation is allowed by platform defaults but not a special privilege granted by this skill.