Skillv2.0.1

ClawScan security

Pattern Miner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 21, 2026, 1:28 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's claimed purpose and instructions do not match the code: the README/metadata promise features (Jinja2/template generation, CSV/JSONL support, config use, ML libs) that the included script does not implement — this looks like an incomplete or misleading package rather than clearly benign code.
Guidance: This package appears inconsistent: the top-level description promises template generation and shell automation, SKILL.md promises CSV/JSONL and ML-powered analysis, but the only code simply loads a JSON file and prints basic information. That suggests the skill is incomplete, mislabeled, or a placeholder rather than intentionally malicious. Before installing or using it: 1) Ask the author to clarify the intended functionality and why SKILL.md lists dependencies and config that the code doesn't use. 2) Review any future code changes to ensure promised features are actually implemented. 3) Run the script on non-sensitive sample files in an isolated environment to verify behavior and monitor network activity. 4) Avoid trusting the privacy claim until you verify no network calls are made (e.g., inspect code or run in a sandbox). If you need the advertised capabilities (pattern mining, template generation), prefer a skill/tool whose code and documentation align.

Review Dimensions

Purpose & Capability: concernThe registry header/skill summary (mentions detecting repeated code/commands and generating Jinja2 templates and shell automation) does not match the SKILL.md, which describes data-file pattern analysis. The single included script only loads a JSON file and prints basic metadata; it does not perform pattern mining, does not generate templates/scripts, and does not use ML libraries. Required dependencies listed in SKILL.md (numpy, scikit-learn, pandas) are disproportionate to the actual code.
Instruction Scope: concernSKILL.md instructs installing heavy analysis packages, claims support for CSV/JSONL, describes a configuration file at ~/.pattern-miner/config.json, and promises exports and anomaly detection. The provided script neither reads the config nor supports CSV/JSONL or any analysis beyond printing JSON structure. SKILL.md's privacy claim ('no access to system files or shell history') is plausible given the current script, but the larger instructions are vague and overbroad compared to the actual runtime behavior.
Install Mechanism: okNo install spec is provided (instruction-only plus a small script). That minimizes install-time risk; nothing is downloaded or extracted by the skill itself.
Credentials: noteThe skill requests no credentials or config paths (good). However, SKILL.md recommends installing unrelated heavy dependencies which are not used by the code; this is an unnecessary ask but not a credential risk. No environment variables are declared or accessed in the code.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not modify other skills or system configuration. Autonomous invocation is allowed by default (platform behavior) but there are no other elevated privileges requested.