Skillv0.1.0

ClawScan security

Generating Publication Ready Figures In R · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 26, 2026, 10:05 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (an R package providing themes and helper functions) does not match its footprint — it is instruction-only and does not include the R code it advertises, which is an incoherence that could confuse or mislead users.
Guidance: This skill appears coherent in purpose (making ggplot figures publication-ready) but is instruction-only: it advertises R functions and a project structure that are not included in the published bundle. Before using: 1) don't blindly run code the agent suggests — verify whether theme_* and export_publication functions exist in your environment; 2) if the agent suggests sourcing remote R scripts, inspect their contents before sourcing; 3) be cautious with extrafont::font_import() and other commands that change system fonts or write files — they can be slow and may require permissions; 4) if you expect a ready-to-use package, ask the publisher for the missing R files or a proper install mechanism (CRAN/GitHub repo) so you can review and install safely. Providing the missing R/publication_themes.R or a link to the repository would increase confidence and could change this assessment to benign.

Review Dimensions

Purpose & Capability: concernThe skill claims a library of R functions (theme_nature, scale_color_nature, export_publication, R/publication_themes.R, etc.) and a project structure, but the published package only contains SKILL.md and README.md. There are no code files or install instructions to provide the advertised functions. A user expecting to simply call those functions will not find them in this bundle.
Instruction Scope: noteThe SKILL.md stays within the stated purpose (transform ggplot objects, combine panels, export with ggsave, use packages like patchwork/cowplot). It does instruct operations that write files (ggsave) and to run font-import commands (extrafont::font_import()), which affect the local environment — those are expected for the purpose but worth reviewing before executing. The instructions assume local R code (sourcing publication_themes.R) that is not included.
Install Mechanism: okNo install spec and no binaries requested: the skill is instruction-only. This minimizes install-time risk, but combined with the missing code files, it means the skill likely intends to have the agent produce or instruct usage of code rather than provide it.
Credentials: concernThe skill requests no environment variables or credentials (good). However, it references operations that interact with the user's filesystem and local R environment (sourcing local scripts, running font_import, saving files). Because the R code that implements the themes isn't present, an agent or a user may be prompted to download or source external scripts — any external sourcing should be verified. No secrets are requested.
Persistence & Privilege: okThe skill does not request persistent installation or elevated privileges; always is false and there are no install scripts. It does instruct actions that modify the local environment (writing files, importing fonts), but it does not attempt to modify other skills or system-wide agent settings.