Skillv1.0.1

ClawScan security

Skill Creator Operator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 7:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-first scaffolder for creating OpenClaw skills; its files and runtime instructions match that purpose and do not request unexplained credentials, installs, or network access.
Guidance: This skill appears to be what it claims: a premium-style skill scaffolder. Recommended precautions before use: run the scaffolder in an isolated or throwaway workspace so it only writes where you expect; inspect the generated files for any accidental secrets or unexpected content before committing or publishing; if you ask the skill to publish, confirm clawhub authentication and review files (as the SKILL.md recommends). The included Node script only writes template files and prints the created directory; it does not perform network I/O, but you should always be cautious running scripts from unknown authors—verify contents (which you have) and run with appropriate filesystem permissions.

Review Dimensions

Purpose & Capability: okName/description describe a premium skill scaffolder and the package contains only documentation and a small Node.js scaffolding script that creates SKILL.md, references/, and scripts/. There are no unrelated env vars, binaries, or network endpoints requested, so required capabilities align with the stated purpose.
Instruction Scope: okSKILL.md gives scoped instructions (first-run wizard patterns, where to store workspace config, how to run the included scaffolder, and safe publishing steps). It does not instruct reading unrelated files, exfiltrating data, or contacting unexpected endpoints. It explicitly warns to check for personal paths/tokens before publishing.
Install Mechanism: okThere is no install spec; the skill is instruction-only with a small local script. The included script is straightforward file I/O to create directories and write template files—no downloads, extracts, or external package installs are performed by the skill itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The only persistent data is a workspace/global JSON config file per the documented convention; the author also states 'Never store secrets in long term memory files.'
Persistence & Privilege: noteThe skill recommends persisting a small config file to the workspace or optionally global location; this is coherent with its purpose. Note: persisting config to disk is expected for a scaffolder, so treat persisted files as you would any new project files (inspect them, avoid storing secrets). The skill does not request always:true and does not modify other skills.