Back to skill
Skillv1.0.12
ClawScan security
Recipe Create Task List · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 6:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with its stated purpose: it requires the gws CLI and a companion gws-tasks skill to create Google Tasks entries, and it does not ask for unrelated credentials or install arbitrary code.
- Guidance
- This recipe will run gws CLI commands to create a Google Tasks list and add tasks. Before installing or invoking it: (1) ensure the gws binary on your PATH is the genuine Google Workspace CLI you expect, (2) confirm which Google account gws is authenticated to (the skill will act using those credentials), and (3) be prepared to provide/replace TASKLIST_ID (or capture it from the tasklist creation output) when running the steps. If you do not want the agent to modify your real Tasks, test with a secondary account or ensure gws is unauthenticated in the environment used for testing.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md runs gws CLI commands to create a Google Tasks list and tasks. The declared required binary (gws) and the metadata dependency on the gws-tasks skill are proportionate to the stated purpose.
- Instruction Scope
- noteInstructions are narrowly scoped to gws tasks commands and do not request unrelated files or environment variables. Minor usability gap: the recipe uses a placeholder TASKLIST_ID but doesn't show capturing the created tasklist's ID (the user/agent must replace it manually or parse the create output).
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no bundled code; nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteNo environment variables or credentials are declared, which is reasonable for a thin recipe. However, the gws CLI typically requires prior authentication; the skill implicitly relies on whatever Google credentials the gws binary is already configured with. That means the skill will act with the permissions of the existing authenticated account.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-level changes or access to other skills' configuration. It simply instructs running gws commands when invoked.