Back to skill
Skillv1.0.0
ClawScan security
AI Builder Signal Digest (Transparent + Sourced) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 12:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose: it builds a short, sourced digest from provided links or a local JSONL log and makes only reasonable, proportional network requests to public endpoints.
- Guidance
- This skill appears coherent and low-risk: it reads only the input path or links you provide and fetches public GitHub/arXiv pages to add 'why care' and maturity info. Before installing, consider whether you are comfortable with outbound network calls from the environment that runs skills (it uses unauthenticated GitHub API calls and simple HTML scraping of arXiv). If you want to avoid network access, do not pass external links and only run it against local logs; you can also inspect the included Python script before use (it is short and uses only the standard library).
Review Dimensions
- Purpose & Capability
- okThe name/description match the bundled script and SKILL.md: the tool accepts links or a JSONL signals log and produces a 3–5 item digest. No unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- okRuntime instructions stay on-task: they read either an explicit input JSONL or supplied links, enrich items by querying public GitHub and arXiv pages, and write a markdown digest to the provided out path or stdout. The script does not instruct indiscriminate system scanning or access to unrelated files or secrets. Note: it will read any input path you explicitly provide.
- Install Mechanism
- okNo install spec; the skill is instruction-plus-script only and uses only the Python standard library. No third-party downloads or archives are fetched or installed.
- Credentials
- okNo environment variables or credentials are required. The script makes unauthenticated requests to public GitHub API endpoints and arXiv pages (subject to rate-limiting), which is proportionate to the stated maturity-enrichment feature.
- Persistence & Privilege
- okThe skill does not request persistent/always-on inclusion, does not modify other skills or global agent settings, and uses no privileged operations.