Back to skill
Skillv1.0.0
ClawScan security
Filesystem Access (GreaterPeter) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 11:52 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (read/write/list files inside the workspace) matches its requirements and instructions, but the runtime guidance is advisory and leaves enforcement to the agent/platform so exercise caution when allowing autonomous file operations.
- Guidance
- This skill is internally consistent for workspace-local file operations, but its safety constraints are advisory only. Before enabling: (1) ensure your agent platform enforces workspace boundaries and requires explicit user confirmation for writes/deletes; (2) prefer prompting the user before any write or delete; (3) consider limiting autonomous invocation or auditing logs for file operations; and (4) test in a restricted workspace (non-sensitive files) first to verify behavior.
Review Dimensions
- Purpose & Capability
- okName and description claim workspace-local file access; there are no unrelated environment variables, binaries, or install steps requested. The skill is instruction-only and its declared purpose aligns with what the instructions describe.
- Instruction Scope
- noteSKILL.md limits actions to workspace-relative paths and forbids writes outside the workspace, but these are high-level, advisory constraints (e.g., 'avoid deleting important files') rather than enforceable checks. 'Workspace' is not programmatically defined here, and the agent is given discretion about what to access and when.
- Install Mechanism
- okNo install spec or external downloads — instruction-only skill, so nothing is written to disk or fetched during install.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. There are no extraneous secret requests relative to the stated file-access purpose.
- Persistence & Privilege
- notealways:false (not force-installed). The skill allows model invocation (default), so an agent could run its file-access actions autonomously if the platform permits — this increases potential impact but is a platform-level policy consideration rather than a mismatch in the skill itself.