Back to skill
Skillv1.0.2
ClawScan security
Ariadne Thread · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 5:23 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only documentation/indexing skill whose requirements and instructions match its stated purpose and do not ask for unrelated credentials or installs.
- Guidance
- This skill is an opinionated, instruction-only guide for making repos AI-navigable; it's internally consistent and doesn't request secrets or installs. Before enabling it for automated/unsupervised use, consider: (1) the skill expects agents to read and update many repo files (AGENTS.md, INDEX.md, file headers) — decide whether those automated edits should be manual-reviewed commits; (2) .cursorignore recommendations should explicitly exclude secrets, credentials, and large vendor directories; (3) if you don't want agents to modify Tier A indexes on every code change, restrict autonomous invocation or adjust the guideline to a review/candidate-change workflow; (4) validate that any CI/build/test commands the skill will run are safe in your environment. If you want tighter control, allow the skill for guidance-only (no autonomous edits) or require a human confirmation step before applying changes.
Review Dimensions
- Purpose & Capability
- okThe name and description (AI-friendly project indexing) align with the SKILL.md and the reference docs: it explains how to create AGENTS.md, INDEX.md and file headers, how to discover dependents, and how to maintain Tier A/B docs. No unexpected binaries, env vars, or external services are required.
- Instruction Scope
- noteThe runtime instructions are prescriptive and broad: they instruct agents to create/maintain AGENTS.md, INDEX.md, llms.txt, file headers, and to run repository-wide discovery (grep/find usages) and to update indexes atomically on every change. This scope is appropriate for an indexing/agent-navigation skill, but it grants the agent broad permission to read and modify many repo files (Tier A indexes) when used. There are no instructions to read unrelated system state, secrets, or to send data to external endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is downloaded or written by an installer, so there is low install risk.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The instructions reference project files only (AGENTS.md, INDEX.md, docs/*) and example local commands (grep, build/test), which are proportional to indexing and documentation maintenance.
- Persistence & Privilege
- notealways: false and no special OS/config access. However the skill explicitly requires atomic upkeep of Tier A indexes on each code change — if invoked, it expects the agent to read and edit many repo files. Autonomous invocation is allowed by platform default; combine that with the skill's broad edit expectations if you plan to permit fully autonomous agent actions.