Skillv1.0.0

ClawScan security

Pattern Mine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 4, 2026, 9:57 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (finding recurring code patterns) matches the visible instructions, but the SKILL.md was truncated so I cannot confirm it doesn't instruct broad file access, execution, or network transmission — review the full instructions before installing.
Guidance: Before installing, get and review the full SKILL.md (the runtime instructions). Specifically: 1) Confirm it limits scanning to the repository or paths you choose and does not read unrelated system files (e.g., home, /etc, secret files). 2) Confirm it does not send code or findings to external endpoints or request credentials. 3) Look for any steps that execute your code, run tests, or run arbitrary shell commands — if present, run the skill in an isolated environment first. 4) Prefer running the analysis locally yourself (give it a path) or in a sandboxed agent with read-only access to the project. If you can paste the full SKILL.md here, I can re-evaluate and raise the confidence level.

Purpose & Capability: okName and description align with an agent that scans a codebase for semantically similar code and pattern divergences. The declared manifest (no binaries, no env vars, no install) is proportionate for a read-only analysis skill.
Instruction Scope: concernVisible SKILL.md describes local code analysis (expected). However the file is truncated and the runtime instructions (the critical security surface for instruction-only skills) are not fully shown. Verify the full SKILL.md to ensure it only reads repository files you intend to expose, does not request unrelated system paths, secrets, or explicit upload to external endpoints, and does not instruct execution of untrusted code.
Install Mechanism: okNo install spec and no code files — lowest-risk distribution model. Nothing would be written to disk by an installer per the registry metadata.
Credentials: okThe skill declares no required environment variables or credentials, which is proportionate for a static code analysis tool. Still check the hidden portion of SKILL.md to ensure it doesn't read config files (e.g., .env, .aws/credentials) or request tokens at runtime.
Persistence & Privilege: okalways:false and no install hooks shown. The skill does not request persistent presence or elevated platform privileges in the provided metadata.