Skillv1.0.0

ClawScan security

SRT Proofreader · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 1:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with its stated purpose (proofreading SRTs using srts/source.md and splitting/merging large files); it requests no credentials or network access and includes a small, readable Node script for splitting/merging.
Guidance: This skill appears coherent and low-risk, but before installing: 1) verify Node.js is available if you plan to use the split/merge commands (the metadata doesn't list Node as a required binary); 2) back up your srts/ files (the skill will write files and may run git init and commit in that folder); 3) ensure srts/source.md exists and contains the terminology you want enforced; 4) review the included scripts/srt_sections.mjs yourself (it's small and readable) to confirm behavior; and 5) when running, inspect the git diff before pushing changes elsewhere. If you want stronger isolation, run the skill in a sandboxed workspace.

Review Dimensions

Purpose & Capability: okThe name/description (SRT proofreading with source.md terminology) matches the code and instructions: the included script only splits and merges .srt sections and the SKILL.md describes using git to track edits. There are no unrelated credentials, binaries, or external services requested.
Instruction Scope: okSKILL.md restricts actions to the srts/ directory, requires srts/source.md, limits edits to typo/terminology changes, preserves indices/timestamps/structure, and instructs using git to review changes. It does not instruct reading unrelated system files or sending data externally. It does direct the agent to run git commands and to edit files — which is expected for this purpose.
Install Mechanism: noteNo install spec (instruction-only) and the included script is shipped with the skill (low risk). One small mismatch: the skill's instructions invoke 'node scripts/srt_sections.mjs' but the registry metadata lists no required binaries; ensure Node.js is available in the runtime environment before using the split/merge features.
Credentials: okThe skill requests no environment variables, credentials, or config paths. All file access is limited to the srts/ workspace and the script writes a local manifest in the output directory.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable. It does not modify other skills or global agent configuration. It may initialize a git repository and commit inside srts/ (documented), which is expected behavior for producing git-tracked edits.