ARC Creator
PassAudited by ClawScan on May 1, 2026.
Overview
ARC Creator appears purpose-aligned and user-directed, but it can run local setup commands, commit project files, and optionally push data to a DataHUB using a token.
Install/use appears reasonable for creating ARCs. Before letting it commit or push, confirm the local ARC directory, inspect the files being added, decide whether the remote repository should be private or public, and use a narrowly scoped DataHUB token if synchronization is needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can create files and initialize a git repository at the path the user provides.
The bundled shell script initializes local directories and a git/ARC repository. This is expected for the skill's purpose, but it is still local command execution.
mkdir -p "$ARC_PATH" ... $ARC_CMD init ... git init ... mkdir -p .arc studies assays workflows runs
Use a deliberate project directory, review the short script if desired, and avoid pointing it at an existing folder unless you intend to initialize it as an ARC.
If the ARC folder contains unintended files, they could be committed and, if the user agrees to sync, uploaded to a remote repository.
The workflow can stage all files in the ARC and optionally push them to a remote DataHUB. This is disclosed and purpose-aligned, but it is a broad file-publication operation.
git add -A ... git commit -m "Initial ARC: <investigation title>" ... Ask if the user wants to push to a DataHUB. If yes ... Set remote and push
Before committing or pushing, run or ask for a review of `git status`, confirm `.gitignore`/Git LFS rules, and verify the remote repository visibility and destination.
A DataHUB token may allow repository creation or modification under the user's account, depending on its scope.
Optional DataHUB synchronization requires account credentials. This is expected for pushing to a hosted git service, and the artifacts do not show token logging, hardcoding, or unrelated use.
For DataHUB sync: Personal Access Token for git.nfdi4plants.org or datahub.hhu.de
Use a least-privilege token limited to the intended DataHUB action, avoid storing it inside the ARC, and revoke it when no longer needed.