Skillv1.0.0

ClawScan security

Clean Unused Deps · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 10:13 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are consistent with its stated purpose (finding and removing unused npm packages); it asks for no credentials or installs and is instruction-only.
Guidance: This skill appears coherent for identifying and removing unused npm packages, but take precautions before uninstalling: run it in a git branch, commit or stash changes first so you can revert; run your test suite and build after removals; be aware depcheck can miss dynamic imports or tools invoked only in scripts (CI/build). Prefer running depcheck via npx (npx depcheck) rather than a global install, and review depcheck output carefully before running npm uninstall. If you let an agent run this autonomously, restrict it from executing destructive commands without explicit user confirmation.

Purpose & Capability: okName and description match the instructions: it uses depcheck to detect unused npm deps and npm uninstall to remove them. The requested tools (Node/npm and depcheck) are appropriate for this task.
Instruction Scope: noteThe SKILL.md confines actions to running depcheck and npm uninstall, which is within scope. However, the instructions are minimal and omit safety guidance (e.g., run tests, use a branch, use version control, review dynamic imports or build-time dependencies). The simple workflow could lead to accidental removal of legitimately used packages if depcheck reports false positives.
Install Mechanism: okNo install spec and no code files — lowest-risk, instruction-only skill. It does recommend installing depcheck globally but does not perform any downloads or write to disk itself.
Credentials: okThe skill requests no environment variables, credentials, or config paths — consistent and proportional for its purpose.
Persistence & Privilege: okalways is false and the skill does not request persistent/system privileges. It does not modify other skills or system-wide settings.