Back to skill
Skillv2.0.0
ClawScan security
Best Practices · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 2:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that provides static guidance and code snippets for web development best practices; it requests no credentials, installs, or runtime actions and is internally consistent with its stated purpose.
- Guidance
- This skill is essentially documentation and appears coherent with its stated purpose. It does not request credentials or perform installs, so the technical risk of installation is low. Before copying snippets into your projects, however, review them for compatibility with your toolchain (versions of Prettier, Husky, etc.), test pre-commit hooks locally, and confirm the MIT license and authorship meet your trust requirements since the skill's source/homepage are not provided. If you intend the agent to apply these changes automatically, require manual review or sandboxing first rather than blindly applying config/code from this skill.
Review Dimensions
- Purpose & Capability
- okThe name and description match the SKILL.md content: TypeScript/JavaScript, React patterns, code-review checklists and editor/config snippets. The skill declares no binaries, env vars, or installs — which is proportionate for a documentation-style best-practices guide. Note: the package source/homepage is unknown, but that affects trust in authorship, not coherence.
- Instruction Scope
- okThe SKILL.md contains guidance, examples, and configuration snippets (format-on-save, pre-commit hooks, checklists) but does not instruct the agent to run shell commands, contact external endpoints, read system files, or exfiltrate data. The instructions are scoped to developer guidance and code patterns.
- Install Mechanism
- okNo install spec and no code files are included (instruction-only), which is the lowest-risk model — nothing will be written to disk or executed by an installer as part of skill installation.
- Credentials
- okThe skill requires no environment variables, credentials, or config path access. There is nothing requesting secrets or unrelated service credentials.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence. It does not modify other skills' configs or system-wide agent settings.