Back to skill
Skillv1.3.3
ClawScan security
Skill Design Guide Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 4:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only design guide that is internally consistent with its stated purpose and requests no credentials, binaries, or install actions.
- Guidance
- This skill is a documentation-only design guide and appears coherent and low-risk: it asks for nothing sensitive and contains no executable install steps. Before installing, verify the source repo (homepage link) if provenance matters, review the trigger keywords so it only loads when you want it, and treat its recommendations as guidance (not enforcement). If you plan to use its templates in production, apply your own security and access guardrails for any scripts/tools you implement based on the guide.
Review Dimensions
- Purpose & Capability
- okName/description (skill design guide) match the actual contents: an architecture decision guide and checklist. The skill requires no env vars, binaries, or installs, which is proportionate for a documentation/guide skill.
- Instruction Scope
- okSKILL.md contains design guidance, patterns, checklists and trigger keywords. It does not instruct the agent to read unrelated system files, access credentials, or transmit data to external endpoints. References are local files included in the repo and meant for on-demand reading as part of design guidance.
- Install Mechanism
- okNo install specification and no code files — this is instruction-only. That is the lowest-risk install posture and appropriate for a documentation-style skill.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. Nothing requested is disproportionate to its purpose as a design guide.
- Persistence & Privilege
- okFlags: always=false (default), user-invocable=true, disable-model-invocation=false. These defaults are normal for a user-invocable skill. The skill does not request persistent system privileges or attempt to modify other skills' configs.