Back to skill
Skillv1.0.0
ClawScan security
Speed Run · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 12:16 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only, zero-dependency gamification guide for timing coding work; it asks for no credentials, installs nothing, and the instructions are scoped to human workflow/rules rather than automated access to your system.
- Guidance
- This skill is an instruction-only guide for gamifying coding tasks and appears internally consistent and low-risk. Before enabling it for any automated agent with permission to run commands: (1) review the full SKILL.md to confirm there are no hidden runtime instructions, (2) avoid granting the agent automated push/deploy privileges (git push, CI tokens, cloud deploy credentials) unless you explicitly want those actions, and (3) try it in a sandbox or test repository first so any commits/PRs the agent creates won't affect production. Also note the skill has no homepage and an unknown source — that doesn't indicate maliciousness here, but if provenance matters to you, prefer skills with a verifiable author or repository.
Review Dimensions
- Purpose & Capability
- okThe name/description (gamified timing and splits for coding tasks) matches the SKILL.md content. There are no unrelated environment variables, binaries, or install steps requested that would be out-of-scope for a speedrun-style guide.
- Instruction Scope
- okThe SKILL.md contains human-facing rules, split definitions, and UI mockups for timing and tracking runs. It does not instruct the agent to read arbitrary files, exfiltrate data, call external endpoints, or perform system actions. It references commits, PRs, CI and deploys only as timing milestones, not as required automated steps.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There are no disproportionate secret or credential requests relative to its stated purpose.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated presence. Autonomous invocation is allowed by platform default, but the skill itself does not request extra privileges or to modify other skills/config.