Back to skill
Skillv1.0.0
ClawScan security
Universal Command Pattern · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 1:54 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description matches its instructions: it's an instruction-only pattern for authoring commands once and emitting CLI/API/MCP interfaces; it requests no credentials or unusual installs, but you should verify the npm package provenance before installing.
- Guidance
- This skill is internally coherent: it documents a pattern and points you to an npm package that implements it. Before you install or use it, verify the @supernal/universal-command package on npm (owner, weekly downloads, repository link, and published code). If you plan to expose generated APIs or MCP tools, review how auth and headers are handled (don't forward secrets or broad headers to agent tools), run a dependency audit (npm audit), and consider testing in a sandbox environment first. If you need higher assurance, ask for the package repository URL or inspect the exact package contents and its publish history before installing.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md examples: defining a UniversalCommand and generating CLI, API, and MCP surfaces is exactly what the instructions and API reference show. No requested binaries, env vars, or config paths appear unrelated to that purpose.
- Instruction Scope
- noteSKILL.md contains concrete code examples and runtime instructions (npm install, createRuntimeServer, generateNextRoutes, startMCP transport). These are within the stated purpose. Minor note: examples include creating MCP tools and starting an MCP server with transport 'stdio' and reading request headers (e.g., x-user-id) — expected for exposing commands to agents/APIs but worth reviewing in your integration to avoid unintentionally exposing sensitive headers or endpoints.
- Install Mechanism
- noteThe skill itself has no install spec (instruction-only), but the README instructs installing an npm package (@supernal/universal-command). This is proportional for the purpose. Because the skill points to an external npm package, verify the package's author, source, and contents before running npm install.
- Credentials
- okNo environment variables, credentials, or config paths are required by the skill metadata. The SKILL.md does reference using request headers and auth options for API generation, which is normal for this type of framework and does not imply the skill needs extra credentials itself.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it doesn't request permanent presence or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other concerning flags.