Skillv1.0.3

ClawScan security

awesome-closet-stylist · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 11, 2026, 1:16 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested files, behavior, and instructions are consistent with a wardrobe/outing recommender that reads and updates local wardrobe and preference JSON files; nothing requested is disproportionate to its stated purpose.
Guidance: This skill appears internally coherent and behaves like a local wardrobe manager: it will read and may update user/wardrobe.json, user/preference.json, and user/config.json. Before installing, consider: (1) where those JSON files are stored by your agent and whether you want wardrobe data kept there; (2) image handling — if you upload photos, confirm the platform’s image-storage and sharing policies so pictures aren’t sent to third parties unintentionally; (3) weather lookups — the spec allows external retrieval when configured, so avoid configuring a remote weather API or be aware that location data may be used; (4) test delete flows to ensure the agent asks for confirmation as specified. Overall this skill is coherent and proportional to its stated purpose, but verify the host platform’s I/O, storage, and external-call policies if you have privacy concerns.

Purpose & Capability: okName and description match the requested data and actions: reading/writing user/wardrobe.json, user/preference.json, and user/config.json and providing outfit recommendations. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okThe SKILL.md and sub-specs clearly limit actions to wardrobe CRUD, item notes, preferences, and optional weather lookups. They explicitly require reading the local user/*.json files and define confirmation boundaries for destructive actions. There are no instructions to access unrelated system files or to send wardrobe data to external endpoints.
Install Mechanism: okNo install spec and no code files — the skill is instruction-only. This minimizes code-on-disk risk and matches the described behavior.
Credentials: okThe skill requires no environment variables, credentials, or external API keys. The only config paths are the local user/*.json files that are appropriate for a persistent wardrobe skill.
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill documents how and when it will write to local JSON files and mandates confirmation for deletes and conservative persistence for preferences/notes; it does not request system-wide or other-skills modifications.