Back to skill
Skillv1.0.0
ClawScan security
Craft Habit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 9:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only habit-design skill that is internally consistent with its stated purpose and requests no sensitive access or installs.
- Guidance
- This skill is an instruction-only habit-builder and appears coherent and low-risk: it only uses the bundled template file and asks the user simple prompts to produce practice plans. Before installing, consider that the author is anonymous (no homepage) so if provenance matters to you, prefer skills from known publishers. Also remember it provides habit guidance, not technical coaching — if you need technique-level feedback or safety-critical instruction, consult a qualified teacher. Otherwise it’s safe to use.
Review Dimensions
- Purpose & Capability
- noteName/description (designing creative practice habits) match the SKILL.md instructions. The skill asks for no binaries, env vars, installs, or external services — all proportional. Minor note: the registry metadata has no homepage and an anonymous owner ID, so provenance is unclear but not inconsistent with function.
- Instruction Scope
- okRuntime instructions are limited to asking the user for simple inputs and producing a practice blueprint, habit stack, warm-up/shutdown rituals, tracking suggestions, and an obstacle playbook. It references the included references/habit-stack-template.md file (bundled), which is appropriate and harmless. There are no instructions to read unrelated files, access environment variables, call external endpoints, or exfiltrate data.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, so nothing will be written to disk or fetched. This is the lowest-risk install model.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md does not request access to secrets or other services, so requested privileges are proportional to the stated purpose.
- Persistence & Privilege
- okalways is false and model invocation is allowed (the platform default). The skill does not request persistent installation, modify other skills, or ask for system-wide config. Given the lack of sensitive access, this level of autonomy is acceptable.