Back to skill
Skillv1.0.0
ClawScan security
Generate project documentation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 2, 2026, 7:49 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (generate docs into docs/) matches its instructions and requirements; it is an instruction-only skill that reads project files and writes documentation, with no extra credentials or installs requested.
- Guidance
- This skill appears coherent and appropriate for auto-generating project docs: it will scan repo structure, read project metadata and source (via subagents), and write files under docs/. Before running it: (1) back up your existing docs/ if you care about current content—the skill will offer an overwrite/append/ cancel choice but still writes files; (2) confirm your agent runtime enforces the guardrails claimed (that subagents only return a one-line summary and that .env/.venv are excluded); (3) ensure you trust the execution environment to handle the stated Bash/write operations (some platforms may not support arbitrary shell commands or may elevate risk if they do); (4) review the generated docs for accuracy — the skill states it will not fabricate behaviour, but automated summarization can still misinterpret code. If any of these platform guarantees (enforced summary-only returns, exclusion of sensitive files, safe file-write APIs) are absent, consider running the skill on a copy of the repo first.
Review Dimensions
- Purpose & Capability
- okName/description match what the SKILL.md and prompt templates do: scan repository structure, read project metadata and source (via subagents), and write docs/*.md. No unrelated credentials, binaries, or install steps are requested.
- Instruction Scope
- noteInstructions carefully separate roles: main agent does top-level scanning (glob only) and coordination, subagents read source/config files and write docs. The skill explicitly excludes sensitive paths (e.g., .env) and promises subagents only return one-line summaries. Two small points to note: (1) some subagent prompts instruct running a Bash mkdir command (mkdir -p docs/modules) — this is a filesystem write operation rather than pure prompt work and assumes the runtime allows shell operations; (2) the safety of 'never return document content' depends on the platform enforcing that constraint for subagents. Both are operational considerations rather than conceptual mismatches.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files to be written by an installer. Lowest install risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested. Files read (package.json, pyproject.toml, Dockerfile, source files, README) are appropriate and necessary for documentation generation.
- Persistence & Privilege
- okalways:false and user-invocable:true. The skill writes into docs/ but does not request persistent elevated privileges or modify other skills' configs.