Back to skill
Skillv1.0.0
ClawScan security
Migration Compass · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 9:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only migration planner whose requested capabilities and instructions align with its stated purpose; it does not request credentials, install software, or perform unexpected actions.
- Guidance
- This is an instruction-only migration planner and appears coherent with its purpose. Before using it, consider: (1) review generated plans carefully — the skill recommends operations (npm install, proxies, tests) but will not run them for you; (2) do not grant the agent direct filesystem, CI/CD, or production credentials unless you trust it to perform operations autonomously; (3) run migration steps in a safe environment (fork, staging) and validate rollback points before touching production. If you want the agent to audit your repository, grant only temporary, scoped access and inspect the outputs it produces.
Review Dimensions
- Purpose & Capability
- okName/description (migration planning) matches the SKILL.md: the file contains step-by-step migration strategies (library swap, framework migration, language migration, DB migration). No unrelated binaries, env vars, or external services are requested.
- Instruction Scope
- noteThe SKILL.md prescribes actions such as auditing code (searching imports), cataloging routes/middleware, creating adapters, and recommending commands like npm install or running tests. This is consistent with producing a migration plan, but it implicitly assumes access to the project's source code and deployment/testing environments. The skill does not itself run commands (it is instruction-only), so you should review any plan before executing commands or granting the agent filesystem/CI credentials.
- Install Mechanism
- okNo install spec, no downloads, and no code files — lowest-risk installation model. Nothing is written to disk by the skill itself.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The actions described (audits, adapters, proxies) are expected for migration planning and do not require secrets to produce a plan.
- Persistence & Privilege
- okalways:false and default agent invocation settings. The skill does not request permanent system presence or modify other skills; autonomy is platform-default and not a specific concern here.