Skillv1.1.1

ClawScan security

Skill Maker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 11:06 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only template for authoring skills; no installs, credentials, or system access requested and overall consistent with its stated purpose.
Guidance: This skill is an instruction-only template for creating new skills and is internally consistent and low-risk: it asks for no installs or secrets. Notes before installing or using it: (1) the package metadata has a minor version mismatch between SKILL.md and _meta.json — likely a housekeeping issue; (2) because it's an authoring tool, review any skills you create with it (especially if you later add scripts or install specs that request credentials or external downloads); (3) although this skill itself requests no credentials or installs, any authored skill may later add them — review those explicitly before enabling. If you want extra safety, test the skill in a restricted/sandbox agent environment first.

Review Dimensions

Purpose & Capability: okThe name and description claim this is a skill-authoring template and the SKILL.md contains templates, process steps, and file/directory conventions appropriate for that purpose. There are no environment variables, binaries, or install steps that would be unrelated to creating skills. Minor metadata inconsistency: SKILL.md frontmatter/version header lists 1.1.1 while _meta.json reports 1.1.0 (possible housekeeping issue, not a security problem).
Instruction Scope: okRuntime instructions are authoring guidance and templates (how to write SKILL.md, directory layout, testing steps). They do not instruct the agent to read arbitrary system files, access credentials, or send data to external endpoints. Some guidance suggests 'read old first' when replacing an existing skill — which is reasonable for a skill author but does not imply automatic file system access in this package.
Install Mechanism: okNo install spec and no code files — instruction-only. This is the lowest-risk install posture because nothing from remote sources will be downloaded or written to disk as part of installation.
Credentials: okNo required environment variables, credentials, or config paths are declared. The SKILL.md does not reference any secrets or external service tokens. Proportionality is appropriate for an authoring/template skill.
Persistence & Privilege: okalways is false and disable-model-invocation is default (agent may invoke autonomously), which is normal for skills. The skill does not request persistent system-level presence or modify other skills' configurations.