Back to skill
Skillv1.0.0
ClawScan security
Code Flow Visualizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 11:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (convert a single function in Python/JS/TS into Mermaid flowchart code) matches its instructions and requirements; it requests no credentials or installs and contains no surprising behaviors.
- Guidance
- This skill is internally consistent and does not request credentials or installs. It returns Mermaid-format flowchart code (not a rendered image), so you'll need a Mermaid-compatible viewer to render diagrams. Because the implementation is simple (regex/AST-based example in skill.yaml), expect simplifications or occasional inaccuracies for complex functions — test with non-sensitive example code first. Avoid pasting secrets or private credentials into any skill. If you need precise, production-grade control-flow analysis, prefer a skill that documents a full parser/AST library or provides source code for review.
Review Dimensions
- Purpose & Capability
- okName and description match the provided SKILL.md and skill.yaml: both describe extracting control flow and returning Mermaid flowchart code for a single function. There are no unrelated environment variables, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md confines actions to analyzing a single function and producing Mermaid/PlantUML output. It does not instruct reading arbitrary system files, accessing external endpoints, or exfiltrating data. It includes reasonable limitations (single function, simplified loops).
- Install Mechanism
- okThere is no install specification and no code files to write to disk. The skill is instruction-only, so nothing is downloaded or installed by the skill itself.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. This is proportionate for a code-to-diagram converter.
- Persistence & Privilege
- okThe skill does not request always:true or any elevated persistence. It is user-invocable and can be used normally by the agent without special privileges.