Back to skill
Skillv0.1.0
ClawScan security
User Story Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 2:57 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only user-story generator whose instructions, requirements, and absence of installs or credentials are consistent with its stated purpose.
- Guidance
- This skill appears coherent and low-risk: it only documents how to convert feature descriptions into user stories and asks for no credentials or installs. Before using it, avoid pasting sensitive or proprietary data into inputs (the skill will be handled by the agent/model), and review generated acceptance criteria and technical notes for accuracy. If you plan to allow autonomous invocation, be aware the agent can call the skill automatically (this is normal) — restrict that only if you have a policy requiring human review for generated requirements.
Review Dimensions
- Purpose & Capability
- okThe name and description (generate agile user stories with acceptance criteria, story points, and technical considerations) match the SKILL.md content. The skill declares no binaries, env vars, or installs — which is appropriate for a purely prompt/instruction-based generator.
- Instruction Scope
- okSKILL.md limits itself to describing inputs (feature description, personas, constraints) and expected formatted outputs. It does not instruct the agent to read files, access environment variables, call external endpoints, or collect unrelated system data.
- Install Mechanism
- okNo install spec and no code files are present. As an instruction-only skill, nothing is written to disk or downloaded during install, which is the lowest-risk pattern.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. There are no requests for secrets or unrelated service keys, which is proportionate for the stated functionality.
- Persistence & Privilege
- okFlags: always is false (not force-included), user-invocable is true, and disable-model-invocation is false (agent may invoke autonomously) — these are normal defaults for a skill of this type. The skill does not request persistent system modification or access to other skills' configs.