Skillv1.5.0

ClawScan security

IM Framework · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 30, 2026, 6:34 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested actions (reading local ontology files and fetching quoted passages from mflb.com) match its description, but the package is missing the referenced graph files and requires network fetches of live source text — verify those before installing.
Guidance: This skill appears to do what it says: search a local ontology and fetch/quote sections from mflb.com. Before installing, confirm that the large ontology files (references/graph.jsonl and whitebook-map.jsonl) are actually included or will be provided — SKILL.md refers to them but they are missing from the package you provided. Expect the agent to perform live web_fetch calls to mflb.com and to paste verbatim quotations (legal/copyright implications may apply). If you don't trust mflb.com or don't want the agent to fetch external webpages, don't install. If you proceed, verify the source files and ensure you are comfortable with the agent quoting external content verbatim.

Review Dimensions

Purpose & Capability: noteThe skill claims to provide a searchable ontology and to ground answers in Forrest Landry's 'An Immanent Metaphysics' by indexing 767 entities and linking to mflb.com. That purpose aligns with the instructions and included schema/anchors. However, SKILL.md repeatedly references references/graph.jsonl and whitebook-map.jsonl (the ontology and structural map) which are not present in the provided file manifest. This mismatch is likely a packaging omission but is an inconsistency the user should confirm.
Instruction Scope: okRuntime instructions are explicit: search the local graph, retrieve the entity's 'location' URL, call web_fetch(location_url) and quote verbatim with URL attribution. The only external action is fetching content from mflb.com, which is coherent with the skill's purpose. Example shell snippets include user-specific absolute paths (~/Tillerman/...) which are just examples and not required; they may confuse non-technical users but are not harmful.
Install Mechanism: okThis is instruction-only with no install steps or downloaded artifacts, so there is nothing written to disk by an installer. That is the lowest-risk install model.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Its network fetch requirement (mflb.com) is necessary for its stated goal of quoting the canonical text; no unrelated secrets are requested.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent privileges. It is user-invocable and can be invoked autonomously by the agent (default platform behavior), which is expected for a skill of this type.