Skillv1.4.0

ClawScan security

Add to Awesome Agent-Native Services · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 6:52 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only contributor guide for adding services to the awesome-agent-native-services catalog; it requests no credentials or installs and its instructions are coherent with the stated purpose.
Guidance: This skill is a written, step-by-step contributor guide and appears coherent with its purpose, but it instructs agents to interact with external sites and run shell/npm/pip commands as part of onboarding. If you let an agent act on these instructions, review and approve actions before allowing automated registrations, installs, or PRs; do not provide credentials or elevated repo write/push permissions unless you trust the agent and maintainer process. If you want to be extra safe, run the steps manually or allow the agent to prepare drafts only (issue/PR text) and require a human to perform the actual submission and any account provisioning.

Review Dimensions

Purpose & Capability: okName, description, and SKILL.md all describe a step-by-step contributor guide. The actions referenced (read homepages/docs, open a GitHub issue, write a service file, use npx/pip examples) are consistent with adding entries to the catalog. No unrelated credentials, binaries, or config paths are required.
Instruction Scope: noteThe SKILL.md explicitly instructs agents to 'Read <url> and follow the instructions', inspect remote documentation, search the catalog README, open GitHub issues, and includes example shell/npm/pip commands. These steps are within scope for adding a service, but they can produce side effects (automated registration, running install commands, creating PRs) if an agent is allowed to act autonomously—so reviewer caution is warranted.
Install Mechanism: okNo install spec and no code files are present (instruction-only). Nothing will be downloaded or written by an installer; risks from package install sources are not introduced by the skill itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The requested actions (web reads, GitHub issue creation, writing files in the repo) align with its purpose and don't ask for unrelated secrets.
Persistence & Privilege: okalways:false and no special persistent privileges are requested. The skill does allow use of tools (WebSearch, Read, Write, Shell) which is appropriate for a contributor workflow but means an agent could run commands or create PRs if permitted; this is a normal capability for such a guide.