Back to skill
Skillv1.0.0
ClawScan security
Decision Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, CLI, and instructions are consistent with a local decision-support tool and do not request unrelated credentials, network endpoints, or system-wide privileges.
- Guidance
- This skill appears coherent and self-contained: it implements local decision frameworks and a CLI without requiring credentials or network access. Before installing, you may want to (1) verify the package source/repository URL matches a trusted origin (the registry lists a GitHub URL and homepage but the skill source was noted as 'unknown'), (2) inspect package.json and run npm install / npm audit locally, (3) run the CLI in an isolated environment (or review the code) if you are cautious, and (4) be aware that using --output will write files you specify. If you need guarantees about provenance, confirm the upstream repo and signatures before trusting long-term use.
Review Dimensions
- Purpose & Capability
- okThe name/description (decision frameworks, matrix, SWOT, pros/cons) directly match the included CLI (cli.js), core library (lib/index.js), README, and SKILL.md examples. Required env vars, binaries, and config paths are none, which is proportionate for a local analysis tool.
- Instruction Scope
- okSKILL.md instructs using the provided CLI and its commands (analyze, pros-cons, swot, matrix, etc.). The runtime instructions and CLI code operate on user-supplied inputs and local output files; they do not instruct reading unrelated system files, accessing secrets, or sending data to external endpoints.
- Install Mechanism
- okThere is no install spec in the registry metadata (instruction-only), but the package includes normal Node.js project files and a bin entry for a CLI. Dependencies are common (commander, chalk, inquirer, etc.). No downloads from ad-hoc URLs or extracted archives are present.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The code does not reference environment secrets or external API tokens, which is appropriate for an offline/local decision-analysis tool.
- Persistence & Privilege
- okFlags are default (always:false) and the skill does not request permanent agent presence or modify other skills. The code persists decision objects only in-memory and can export to files when the user requests output; there is no built-in background service or automatic exfiltration.