Skillv1.0.0

ClawScan security

bug-pattern-diagnosis-en · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 7:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (symptom-based bug diagnosis using an on-repo case library) matches its runtime instructions and resource needs; it reads and references files under experience/ and optionally writes new case files, and it does not request unrelated credentials or install anything.
Guidance: This skill appears coherent and operates only on the local experience/ case library: it will read BUG*.md files and may write new BUGxx.md entries after a confirmed investigation. Before installing, consider: (1) review the experience/ files to ensure they contain no sensitive data you don't want an agent to read or summarize; (2) be comfortable with the agent creating new files in experience/ (these may be persisted to version control if you commit); (3) the SKILL.md forbids copy-pasting fixes, but always verify any suggested remediation manually before applying code changes. If you prefer the agent not to write files, disable or modify that behavior before use.

Purpose & Capability: okName/description promise (use past cases as references for diagnosing intermittent bugs) aligns with the SKILL.md and the included BUG01.md case. The skill only relies on the on-repo experience/ library and does not require external credentials, binaries, or unrelated system access.
Instruction Scope: okRuntime instructions explicitly tell the agent to: collect symptoms from the user, read symptom/checklist sections from BUG*.md under experience/ for reference, perform independent investigation, and after a confirmed diagnosis write a new BUGxx.md into experience/. All file reads/writes are limited to the case library and are coherent with the stated purpose. The SKILL.md explicitly forbids copy-pasting fixes from cases.
Install Mechanism: okNo install spec and no included binaries or code to execute. Instruction-only skills are lower-risk because nothing is downloaded or installed at install time.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. The lack of credentials is proportionate to a purely on-repo, diagnostic/reference skill.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated privileges, but it does instruct the agent to accumulate new cases by writing BUGxx.md files into experience/. This is consistent with the purpose, but users should be aware the skill will create repository files that may be persisted or committed.