Back to skill
Skillv1.0.2
ClawScan security
Full-Stack Web Engineer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 5:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only full‑stack engineering guide whose requested footprint (no installs, no credentials, no system paths) matches its stated purpose.
- Guidance
- This skill is essentially a curated set of engineering checklists and example code and does not request credentials or install binaries, so its footprint is coherent with its description. Before installing: verify the publisher/owner (source/homepage are unknown), and review the examples for project‑specific changes (e.g., set JWT_SECRET, database connection strings) so you don't accidentally commit secrets into code. Because it's instruction-only, the main risks are human (copying insecure examples into production) and trusting the unknown owner; if you plan to use snippets in production, audit them (especially auth, logging, and any code touching secrets) and ensure secrets are managed by your environment, not embedded in the skill.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (Full-Stack Web Engineer) align with the provided content: checklists, architecture guidance, and example TypeScript/Vue/Bun snippets. It does not request unrelated binaries, environment variables, or privileged config paths.
- Instruction Scope
- okRuntime instructions are limited to loading internal reference modules and applying checklists. Example code snippets reference common env vars (e.g., process.env.JWT_SECRET, LOG_LEVEL) in illustrative middleware/logger examples, but the SKILL.md does not instruct the agent to read or exfiltrate host secrets or arbitrary files.
- Install Mechanism
- okThere is no install spec and no code files that would be downloaded or executed; the skill is instruction-only which is the lowest install risk. The Quick Start example mentions 'clawhub install fswe' but no install artifact or URL is provided in the package metadata.
- Credentials
- okThe skill declares no required environment variables or credentials. Example code shows typical environment references (JWT secret, log level, sqlite filename) appropriate to the domain; there are no disproportionate or unrelated credential requests.
- Persistence & Privilege
- okThe skill is not configured as always:true and does not request persistent system modifications. Autonomous invocation (disable-model-invocation: false) is the platform default and not by itself concerning for this instruction-only skill.