Skillv1.0.0

ClawScan security

Butterfinger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 11:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only informational skill about the Butterfinger candy brand; it requests no credentials, installs, or file access and appears internally consistent with its stated purpose.
Guidance: This skill appears safe and coherent: it is purely informational and asks for no permissions or installs. Before installing, note the source/owner and homepage are unknown—if you require provenance, prefer skills with a verifiable homepage or known author. Also: verify any factual claims from the skill independently (it may contain dated or approximate figures), do not grant additional environment credentials or enable "always" unless you trust the author, and review the SKILL.md yourself to confirm it matches the behavior you expect.
Findings: [no_code_to_scan] expected: The static scanner had no code files to analyze because this is an instruction-only SKILL.md; absence of findings is expected but does not prove factual accuracy.

Purpose & Capability: okName/description (a candy-brand summary) match the SKILL.md content. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope: okSKILL.md contains only topical guidance and a factual summary/history about the brand. It does not instruct the agent to read files, access environment variables, call external endpoints, or transmit data.
Install Mechanism: okNo install spec and no code files — no downloads, no packages, and nothing written to disk. Lowest-risk model for installation.
Credentials: okRequests no environment variables, credentials, or config paths. Proportional to an informational skill.
Persistence & Privilege: okalways is false and the skill is user-invocable. Default autonomous invocation is allowed (platform default) but there is no additional privilege escalation or cross-skill/config modification.