Back to skill
Skillv1.0.0
ClawScan security
Growth Milestone Celebrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 1:02 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required resources are coherent with its stated purpose and request no external credentials or network access.
- Guidance
- This skill appears internally consistent and low-risk: it only formats user-provided inputs into a celebration/next-step template and does not access networks or secrets. Before installing, consider: 1) test with typical and edge-case inputs (e.g., an unfamiliar 'category' value) because the handler currently assumes categories are one of its predefined keys and may raise an error for unknown categories; 2) review or sandbox any execution if you plan to integrate it into an automated pipeline that might send arbitrary external input (to avoid runtime exceptions); and 3) no credentials or external endpoints are requested, so there is no credential-exfiltration risk from the skill as provided.
Review Dimensions
- Purpose & Capability
- okThe skill is a reflection/celebration helper and only includes code and instructions to parse inputs and produce a formatted 'Growth Milestone Record'. It does not request unrelated credentials, binaries, or system paths.
- Instruction Scope
- noteSKILL.md limits the workflow to manual reflection (no sharing, badges, or integrations). The runtime handler reads the local SKILL.md file for metadata and uses only provided inputs to generate output. Note: handler.handle will use a user-supplied 'category' verbatim; if a caller provides an unexpected category string not in the built-in mappings, the code may raise a KeyError (robustness issue, not an indication of exfiltration).
- Install Mechanism
- okThere is no install spec and no external downloads—this is instruction + local Python code only, which minimizes install risk.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The code does not read environment secrets or external configs.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills, system settings, or persist tokens. Autonomous invocation is allowed by default but not combined with any broad privileges or credential access.