Skillv1.0.0

ClawScan security

Las Vegas · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 11:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only Las Vegas city-guide skill whose requirements and files match its description; the only noteworthy behavior is that it asks the agent to create and store a local memory folder (~/las-vegas/) — review setup.md before running if you want to control what gets written.
Guidance: This skill is basically a large, static Las Vegas guide and appears coherent with its description. Before enabling or invoking it: (1) open setup.md to see exactly what the setup step does (it will be run if ~/las-vegas/ is missing); (2) be aware the skill will create and store files under ~/las-vegas/ (memory.md and notes/) which may contain personal info — remove or encrypt anything sensitive; (3) note that the content is static — the SKILL.md hint about 'current data' is vague, so don't assume it will fetch live, up-to-date official data unless you see explicit network instructions; (4) if you do not want persistent local storage, refuse or sandbox the skill. Overall this looks internally consistent and not suspicious.

Review Dimensions

Purpose & Capability: okName/description (Las Vegas city guide) match the included content files (neighborhoods, visitors, cost, business, etc.). No unrelated binaries, credentials, or services are requested.
Instruction Scope: noteSKILL.md is an instruction-only runtime spec that points the agent to a local memory directory (~/las-vegas/) and to run setup.md if it doesn't exist. The instructions otherwise stay within the stated purpose (serve local guidance files). The phrase 'current data' is vague — the skill appears to be static content; if the agent is allowed to fetch live information, that behavior is not specified here. Inspect setup.md before running to confirm whether it contains any commands that write beyond the skill's own folder or call external endpoints.
Install Mechanism: okNo install spec and no code files to execute. This is low-risk: nothing will be downloaded or installed by the registry artifact itself.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The declared requirements are proportional to a location guide.
Persistence & Privilege: noteThe skill instructs the agent to create and use ~/las-vegas/ for memory and notes (persistence to the user's home directory). This is reasonable for a personal guide but is a persistent footprint; agent autonomous invocation remains enabled by default (not flagged here) — consider whether you want the agent to write or retain personal context in that folder.