Skillv1.1.2

ClawScan security

zettel-brainstormer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 25, 2026, 6:37 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and resource access are coherent with its stated purpose (building a referenced brainstorm from a seed zettel); it reads local notes, runs local helper scripts, and performs multiple model subagent calls — nothing in the bundle requests unrelated credentials or surprising installs.
Guidance: This skill appears internally consistent and implements the described local-note brainstorming pipeline, but consider these practical cautions before installing: - Privacy: the workflow reads your local vault (zettel_dir) and the SKILL.md explicitly requires the agent to "ALWAYS include" the final list of references in chat replies — that may expose note titles and absolute file paths in conversation logs. If you keep sensitive notes in the vault, either avoid using the skill or remove/segregate sensitive files first. - External dependency: the skill will optionally call an external `zettel-link` skill if available. Review that other skill before allowing it to run, since its semantic retrieval behavior could include different I/O or network interactions. - Model calls & cost: the workflow spawns one subagent per candidate note plus drafting/publisher subagents. This can result in many model invocations (cost and data sent to your model provider). Confirm which models are configured in config/models.json and whether those model invocations are acceptable for your privacy/cost constraints. - Local writes: the setup script saves config to config/models.json and the scripts write intermediate outputs (e.g., /tmp). If you prefer not to persist config, run setup in a safe environment or edit config manually. - Audit before use: because this is instruction + script bundle, you can safely inspect and run the Python scripts in a sandbox to confirm behavior. If you plan to allow autonomous agent invocation, limit the agent's permissions or review platform audit logs so you can see which notes were accessed. If none of these concerns are blocking, the skill is consistent with its stated purpose and reasonable to use.

Review Dimensions

Purpose & Capability: okName/description match the actual behavior: scripts and agent prompts operate on an Obsidian/Zettelkasten vault (zettel_dir), find linked notes, preprocess them, compile a draft packet, and run drafting/publishing subagents. There are no unrelated environment variables, external credentials, or unexpected binaries required.
Instruction Scope: noteRuntime instructions explicitly tell the agent to read the user's notes (zettel_dir and seed note), run local scripts, spawn one subagent per candidate note, and always include the final list of references in the chat response. This is consistent with the feature, but be aware that the forced inclusion of references may expose absolute filepaths or note titles from your local vault in agent responses and telemetry. The skill also optionally invokes an external 'zettel-link' skill if present — you should confirm the behavior of that skill before allowing it to run.
Install Mechanism: okNo install spec is provided (instruction-only), and bundled scripts are plain Python code — there are no downloads from untrusted URLs or extract/install steps. The setup script writes a local config file (config/models.json) and scripts read/write intermediate files under /tmp or configured output_dir.
Credentials: okThe skill declares no required environment variables or credentials. The bundled config_manager will read optional DEFAULT_MODEL or MODEL environment variables if present (to choose model tiers), but these are not secrets. No keys, tokens, or unrelated service credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request to be always-enabled. It writes/reads only its own config (config/models.json) and temporary outputs; it does not modify other skills or system-wide agent settings.