Skillv1.0.1

ClawScan security

Dotnet Dump Perf Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 5:23 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions are consistent with its stated purpose (performing .NET diagnostics) and do not ask for unrelated credentials or unusual system access, but users should be aware of normal operational risks like elevated privileges, large dumps, and sensitive data in crash dumps before running it.
Guidance: This skill appears coherent and implements standard .NET diagnostic workflows. Before using it: (1) ensure you install tools (dotnet CLI tools, WinDbg, PerfView) from official sources; (2) be aware that collecting full process dumps creates large files and requires disk space and sometimes elevated privileges; (3) memory dumps may contain sensitive data (credentials, tokens, PII) — avoid uploading or sharing dumps without sanitizing/redacting or using secure channels; (4) installing dotnet tools with -g changes your global dotnet toolset — review what gets installed; and (5) on Windows you may need admin rights for perfmon/WinDbg and on Linux/macOS you may need sudo for some capture operations. If you want additional assurance, request the missing sections of SKILL.md (report-generation steps and any external download URLs) to confirm any third-party downloads are from trusted release pages.

Review Dimensions

Purpose & Capability: okThe name/description match the instructions: the SKILL.md explicitly uses dotnet-counters, dotnet-trace, dotnet-dump, dotnet-gcdump, WinDbg and PAL for diagnosis and reporting. Required tools and binaries discussed are appropriate for .NET performance analysis and nothing unrelated (cloud creds, unrelated system services) is requested.
Instruction Scope: noteInstructions focus on monitoring, trace collection, dump capture, and offline analysis — all expected. They direct the agent/operator to create and analyze process dumps and to set runtime paths (setclrpath). Important operational notes: capturing/analyzing dumps may require elevated privileges and produces files that can contain sensitive application data (secrets, memory contents). The SKILL.md does not instruct sending data to external endpoints, which is good.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files — lowest install risk. The SKILL.md recommends using dotnet tool install -g and installing WinDbg/PerfView from their official sources; installing global dotnet tools and third-party viewers is expected for this use case.
Credentials: okNo environment variables, credentials, or config paths are required by the skill beyond normal filesystem access to capture/analyze dumps. The absence of credential requests is proportionate to the stated purpose.
Persistence & Privilege: okThe skill is not always-on and does not request elevated platform privileges by default. It does not attempt to modify other skills or system-wide agent settings. Note that some diagnostic actions (dump capture, perfmon) may require OS-level privileges when executed by a user/operator.