Skillv1.0.0

ClawScan security

Ai Humanizer 2.1.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 1:39 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource requirements are consistent with a local text 'humanizer' tool — it asks for no secrets or external installs and its behavior matches the description.
Guidance: This appears to be an open-source, self-contained humanizer tool that runs locally and does what its description claims. Before installing or invoking it: 1) If provenance matters, verify the repository URL and owner (package _meta.json and registry ownerId differ) and prefer the official GitHub repo referenced in package.json/README. 2) If you plan to run the bundled CLI, review src/cli.js and patterns code for any network calls (none were evident in the supplied files) and run tests locally (npm test) in a safe environment. 3) Avoid pasting highly sensitive data into third‑party tools unless you’ve reviewed their network behavior. 4) If you want the agent to use this skill autonomously, remember it will process text you send it — that’s expected behavior but consider privacy for sensitive content.

Review Dimensions

Purpose & Capability: noteThe name/description (remove AI-writing patterns, humanize text) matches the included code (24 pattern detectors, stats engine, CLI). No unrelated environment variables, binaries, or cloud credentials are requested. Minor inconsistency: registry metadata lists a different ownerId than the package _meta.json, and the skill's registry 'Source' is listed as unknown while package.json points to a GitHub repo; this is a provenance/data mismatch to verify but does not change functionality.
Instruction Scope: okSKILL.md instructs the agent to analyze and rewrite provided text using the 24 pattern detectors and statistics; examples/CLI usage refer only to reading input files or stdin. The instructions do not direct the agent to read unrelated system files, environment secrets, or send data to external endpoints.
Install Mechanism: noteThere is no install spec (instruction-only skill), so nothing is automatically downloaded. The bundle includes full Node.js source and a CLI (src/cli.js, package.json). Running the CLI or requiring the module will execute local JavaScript — there are no declared external dependencies. This is normal for a packaged tool but worth noting: code will run locally if invoked.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code and SKILL.md also do not reference secrets or external API keys — requested privileges are proportional to the stated purpose.
Persistence & Privilege: okFlags show always:false and user-invocable:true. The skill does not request permanent presence or special agent privileges, nor does it claim to modify other skills or system settings.