Back to skill
Skillv1.0.0
ClawScan security
Link Saver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 11:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose: it locally saves, lists, searches, and deletes bookmarks in a links.json file and requests no credentials or external installs.
- Guidance
- This skill appears to be what it claims: a simple local bookmark manager that stores data in a links.json file next to the skill code. Before installing, consider: (1) links.json is stored unencrypted and could contain sensitive URLs or notes—confirm whether that storage location is acceptable; (2) the file will be created/modified under the skill's directory—know where your platform places skill files and back up or remove links.json if you uninstall; (3) if you need cloud sync or sharing, this skill does not provide that and would require additional trusted infrastructure; (4) if you want to audit behavior, you can inspect index.js yourself (it contains only fs/path usage, no network or secret access).
Review Dimensions
- Purpose & Capability
- okName/description (link saver) match the code and SKILL.md: the skill only implements saving, listing, searching, and deleting links. No unrelated binaries, env vars, or services are requested.
- Instruction Scope
- okSKILL.md and index.js stay within scope. The runtime reads/writes a single local file (links.json) in the skill directory and only processes messages for bookmark operations. There are no instructions to read unrelated system files, environment variables, or to transmit data externally.
- Install Mechanism
- okNo install spec is present and there are no external downloads. The skill is instruction+code only and uses built-in Node.js fs/path modules; nothing is fetched from the network.
- Credentials
- okThe skill requires no environment variables or credentials. The code does not access process.env or other external secrets; requested access is minimal and proportional to the feature set.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide configs. It creates/updates a local links.json file in its own directory, which is a reasonable level of persistence for a bookmark tool.