Skillv0.1.0

ClawScan security

iam · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 17, 2026, 11:31 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a simple, coherent informational skill that only runs a local script to display IAM brand/feature metadata and does not request credentials, install software, or access unrelated resources.
Guidance: This skill appears safe for use as an informational/branding tool: it only runs a local shell script that prints static text/JSON and does not access credentials or the network. Before installing, verify the publisher/source if you require provenance (source is listed as unknown and homepage is absent). Also note minor inconsistencies in metadata (claw.json declares MIT while the script JSON says "All rights reserved"); this looks like a packaging/metadata mismatch rather than malicious behavior but you may want to confirm licensing and origin if you plan to use it in production.

Purpose & Capability: okName/description match the provided files: SKILL.md, README.md and scripts/iam-info.sh all present the same IAM brand and feature information. There are no requests for unrelated services or credentials.
Instruction Scope: okRuntime instructions simply run scripts/iam-info.sh with optional flags to print text or JSON. The script only emits static content and does not read files, environment variables, network endpoints, or other system state.
Install Mechanism: okNo install specification is provided (instruction-only). The skill files include a small shell script; nothing is downloaded or extracted during installation.
Credentials: okThe skill declares no required environment variables, no credentials, and the script does not reference any secrets or external config — proportional to an informational/branding utility.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system config, and only requires exec permission to run its own script.