Skillv1.0.0

ClawScan security

Error Message Decoder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 22, 2026, 4:06 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (decoding common error messages) is reasonable and low-risk, but the provided instructions and implementation are inconsistent and contain bugs — the runtime behavior won't match the documentation.
Guidance: This skill itself is low-risk (it asks for no credentials and has no installer), but its documentation and implementation disagree and the code contains at least one clear bug. Before installing or enabling it for autonomous use: 1) Ask the author to align SKILL.md and the implementation (same error list, same output fields). 2) Fix the decodeError function so it returns an object with named fields (e.g., cause, fix) instead of attempting to spread a language string into an object; ensure info entries are objects keyed by language or refactor the lookup. 3) Add tests or examples verifying multilingual output and the fallback behavior. 4) Because this is instruction-only, run it in a sandbox or review the final implementation after fixes to confirm it doesn't read files or environment variables. If you need a ready-to-use tool now, prefer a skill whose implementation and documentation already match and include tests.

Purpose & Capability: okName and description match the declared content: an instruction-only skill that maps common error strings to causes and fixes. It does not request any credentials, binaries, or installs, which is proportionate to the purpose.
Instruction Scope: concernSKILL.md lists a set of known errors (including 'CORS error', '404', '500') and shows output keys like 'cause' and 'fix'. The implementation in skill.yaml contains a different, smaller knownErrors set and returns a different object shape. The implementation also attempts to spread info[language] (a string) into an object, which is a bug and will produce incorrect output or runtime errors. These mismatches mean the agent's runtime behavior will not match the documentation.
Install Mechanism: okNo install spec and no code files beyond instruction/implementation text. Low-risk: nothing is downloaded or written to disk by an installer.
Credentials: okThe skill requests no environment variables, credentials, or config paths — appropriate for an error-decoding utility.
Persistence & Privilege: okalways is false, no elevated persistence requested, and the skill does not ask to modify other skills or system-wide settings.