Back to skill
Skillv1.0.0
ClawScan security
Security Vulnerability Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 11:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (a simple, regex-based static vulnerability scanner); it asks for no credentials or installs and does not perform unexpected actions.
- Guidance
- This skill is a simple, local regex-based scanner that expects you to pass code as a string and returns pattern matches and a score. It does not request credentials or install software, so it is internally coherent. However, the detection rules are basic and JavaScript-centric — expect false positives and missed issues. Before relying on it for security decisions, review and extend its patterns for your languages, test it on known vulnerable/clean samples, and prefer established static analysis tools for critical codebases.
Review Dimensions
- Purpose & Capability
- okName and description (static vulnerability scanning) match the provided runtime instructions and patterns. The skill is instruction-only and expects code as input (scan_vulnerabilities(code, language)), which is consistent with its purpose.
- Instruction Scope
- noteInstructions implement simple regex-based checks embedded in SKILL.md/skill.yaml and do not direct the agent to read files, environment variables, or external endpoints. Note: the scan is purely pattern matching (JavaScript-oriented patterns) and lacks guidance on how code is supplied or on multi-language support; this limits coverage and may produce false positives/negatives.
- Install Mechanism
- okNo install spec or external downloads — lowest-risk configuration (instruction-only), nothing is written to disk by an installer.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths; this is proportionate for a static analyzer that operates on provided code strings.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent privileges. Autonomous invocation is allowed by default but is not combined with any broad credential access or persistent modification.