Skillv1.0.0

ClawScan security

SP Analysis in PL/SQL Package · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 7:48 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with its stated purpose (analyzing PL/SQL packages) and do not ask for credentials, installs, or external network access.
Guidance: This skill is coherent for analyzing PL/SQL packages: it will read package files and workspace files to produce exact call-line references. Before installing or invoking it, ensure you only provide the package(s) you intend to analyze and do not expose repositories containing sensitive SQL, credentials, or production-only scripts. Because the skill requires exact-line verification and workspace-relative links, the agent may scan other files in the workspace to resolve upstream/downstream calls—restrict the workspace or provide a minimal attachment if you want to limit exposure. Review its output before sharing externally. If you need higher assurance, test the skill on a non-sensitive sample package first.

Purpose & Capability: okThe skill declares it will locate and analyze a stored procedure inside an attached PL/SQL package and its instructions only reference reading the provided package file and deriving call relationships. There are no unrelated binaries, credentials, or installs requested that would be unexpected for this purpose.
Instruction Scope: noteThe SKILL.md mandates exact line-number verification, re-opening workspace files, and emitting workspace-relative clickable links. That is coherent with producing precise code pointers, but it requires the agent to read the repository/workspace (potentially multiple SQL files) and produce link fragments. This is expected for the analysis task but means the agent will access file contents beyond the single attached file if those files exist in the workspace—review which files are available to the agent before running.
Install Mechanism: okInstruction-only skill with no install steps and no code files; nothing will be written to disk or fetched during install.
Credentials: okNo environment variables, credentials, or config paths are requested. The declared requirements match the described functionality.
Persistence & Privilege: okalways is false and the skill does not request or imply persistent/system-wide privileges or modifications to other skills. Autonomous invocation is allowed (platform default) but not combined with other risky capabilities.