Skillv1.0.0

ClawScan security

Gitignore Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 1:07 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (generating .gitignore files from GitHub templates); it needs network access to api.github.com and writes a small cache and output files, which is proportionate to the task.
Guidance: This skill appears coherent and implements what it claims. Before installing/using it, note: (1) the script fetches templates from api.github.com (network access) and may be rate-limited by GitHub when unauthenticated; (2) it writes a cache file under ~/.cache/gitignore-gen and will create/overwrite the target .gitignore (use --force/--append carefully and verify output path); (3) the code has minor bugs/rough edges (e.g., a small timing check implementation quirk) but nothing indicating malicious intent; (4) review the script if you require strict offline operation or need authenticated GitHub access. If you are comfortable with these normal behaviors (network + file writes in your home/workdir), the skill is reasonable to install/use.

Review Dimensions

Purpose & Capability: okName/description (gitignore generator using GitHub templates) align with the provided script and SKILL.md. The script fetches templates from GitHub, combines them, supports detection from local files, and writes a .gitignore — all consistent with the skill's stated functionality.
Instruction Scope: noteRuntime instructions direct the agent/user to run the included Python script. The script performs expected actions: network requests to api.github.com, reading the target directory for detection, and writing output (.gitignore or custom path) and a cache file under ~/.cache/gitignore-gen. These behaviors are within the scope of generating .gitignore files but do involve network and filesystem access (home dir cache, working-directory writes).
Install Mechanism: okNo install spec is present (instruction-only with an included script). No downloads or external installers are invoked by the skill itself, so nothing arbitrary is written to disk beyond running the provided script and its cache/output files.
Credentials: okThe skill declares no required environment variables or credentials. The script also does not read secret environment variables or require auth; it makes unauthenticated requests to the GitHub API (which is appropriate for public gitignore templates, though subject to rate limits).
Persistence & Privilege: okThe skill does not request permanent inclusion, does not modify other skills or system-wide agent settings, and only writes its own cache (~/.cache/gitignore-gen) and any .gitignore output specified by the user. This level of persistence is proportional to its function.