Skillv1.0.0

ClawScan security

Color · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 4:23 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions align with its stated purpose (color systems, palettes, accessibility, print, and implementation), with no unexpected credential requests or install steps — it's an instruction-only design reference with implementation examples.
Guidance: This skill is coherent and appears to be a pure design and implementation reference. Before running any of the provided command examples: 1) review commands — npx examples invoke remote packages (remote-code-execution risk) so do not run them in sensitive or production environments without vetting the package; 2) ImageMagick commands operate on local files and historically ImageMagick has had vulnerabilities when handling untrusted images — avoid processing untrusted inputs and ensure your ImageMagick is up to date; 3) when using examples that call tooling, prefer to run them in an isolated/sandboxed environment or inspect the package source first; 4) the agent can invoke skills autonomously by default (normal), but there are no other red flags here — if you plan to allow autonomous command execution, constrain the environment and review audit logs. Overall: safe to use as a human-read guidance doc; treat execution examples with normal operational caution.

Purpose & Capability: okName, description, and the included .md files (ui-systems, palettes, accessibility, data-viz, print, color-spaces, commands) all map to color-system work; required binaries/env/paths are none, which is proportionate for a guidance-only skill.
Instruction Scope: noteSKILL.md and the auxiliary files stay on-topic and do not instruct reading unrelated system state or secrets. They include concrete CLI/JS examples (npx colorjs.io, ImageMagick commands, JS examples) which are appropriate for implementation guidance but imply running remote packages or local tools if followed — this is expected but worth noting as an execution risk if you run examples blindly.
Install Mechanism: okNo install spec; the skill is instruction-only and writes nothing to disk. This is the lowest-risk install posture.
Credentials: okNo environment variables, credentials, or config paths are requested. Examples reference common toolchains (npx, ImageMagick) but do not require secrets or unrelated system access.
Persistence & Privilege: okalways is false and there is no indication the skill attempts to persist, modify other skills, or request elevated agent-wide privileges.