Back to skill
Skillv1.1.0
ClawScan security
Quality-Driven Development (QDD) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 9:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only development methodology assistant whose requested actions and artifacts align with its stated purpose and do not request unrelated credentials or installs.
- Guidance
- This skill is instruction-only and appears coherent for code quality tasks. If you install/use it, be aware the agent will analyze your repository, run test/coverage commands if present, and may modify project files (add tests, update logging, add dev dependencies). Before letting it make changes automatically: 1) run it on a feature branch or copy of your repo, 2) review the generated SPEC and diffs/commits before merging, and 3) ensure CI runs and sensitive production systems are not affected by any test or install commands the agent may execute. If you require the agent to add dependencies or run package manager commands, prefer explicit approval for those steps.
Review Dimensions
- Purpose & Capability
- okName/description (quality-driven development, automatic TDD/DDD selection, TRUST 5) match the SKILL.md: the instructions focus on test presence/coverage, methodology selection, SPEC creation, tests, logging, and quality gates. There are no unrelated environment variables, binaries, or external credentials requested.
- Instruction Scope
- okRuntime instructions ask the agent to analyze the project, detect language/frameworks, run available test/coverage commands, add tests, add/adjust logging, and produce SPEC and reports. Those actions are expected for a dev-assistant. The instructions do not request reading or exfiltrating unrelated system files, secrets, or contacting unexpected external endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only. That minimizes disk/remote install risk. The skill may suggest adding test/logging dependencies to the project, but that is coherent with its purpose; the skill itself does not download or install anything on the host.
- Credentials
- okThe skill declares no required env vars, no config paths, and no credentials. The SKILL.md also emphasizes avoiding logging secrets. There is no disproportionate credential request.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed by platform defaults. The skill does not request persistent system-wide modifications or to alter other skills' configs.