Skillv0.1.0

ClawScan security

Coding Rules · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 8:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only coding-style skill for Vue3+TypeScript projects that requests no credentials or installs and is internally consistent with its stated purpose.
Guidance: This skill is instruction-only and coherent with its goal of enforcing Vue3+TypeScript coding rules: it asks for no credentials and installs nothing. Before enabling it, consider: (1) it will need access to repository files (vite.config.ts, package.json, source files) to determine applicability and enforce rules—ensure you are comfortable with that access; (2) the SKILL.md contains organizational guidance about placing skills in .ai/skills and symlinking platform folders—decide whether you want to adopt that repository layout before following it or allowing an agent to make such changes; (3) confirm the conventions (arco, unocss, @keyblade/http, naming rules) match your codebase so the enforced rules won't misapply; and (4) if you prefer to avoid autonomous enforcement, restrict invocation to manual/user-invoked only in your agent settings.

Purpose & Capability: okThe name and description match the SKILL.md: it defines coding rules for Vue3 + TypeScript + vite + arco + unocss subprojects. It does not request unrelated binaries, env vars, or permissions.
Instruction Scope: noteThe instructions are focused on code/style rules and correctly specify how to determine applicability (check for vite.config.ts and package.json dependencies). One noteworthy guidance recommends a repo layout for storing custom skills (.ai/skills with symlinks into platform folders); this is a policy recommendation rather than an explicit action, but could encourage users or agents to modify repository/platform directories if followed—review any actual automated edits before allowing them.
Install Mechanism: okNo install spec and no code files are present (instruction-only), so nothing is written to disk by the skill itself—lowest risk for supply-chain code execution.
Credentials: okThe skill does not request environment variables, credentials, or config paths. All referenced packages and configs (e.g., @keyblade/http, AppConfig) are contextually appropriate for the described internal coding conventions.
Persistence & Privilege: okalways is false and there is no request for permanent presence or permission to change other skills or system-wide settings. The skill is user-invocable and can be invoked autonomously by the agent (platform default), which is expected for a skill of this type.