Back to skill
Skillv0.1.0
ClawScan security
voc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 2:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a simple namespace placeholder that only runs local shell scripts to print brand/about/deck/stats placeholders and its requirements match its stated purpose.
- Guidance
- This skill is a lightweight namespace placeholder that only runs bundled bash scripts to print about/deck/stats placeholders. It appears safe and coherent with its description. Before installing, review that you are comfortable granting exec permission (the agent will be allowed to run the included shell scripts). Note small metadata inconsistencies (license/year text) and the 'website' string in the JSON output — if you rely on the vendor or site, verify the publisher independently. Also be mindful that future updates could add network access or credential requirements, so re-check new versions before trusting them.
Review Dimensions
- Purpose & Capability
- okName/description describe a vocabulary namespace and the files/scripts present implement only informational placeholders and CLI stubs; nothing in the package requests unrelated credentials, binaries, or system access. Minor metadata inconsistencies (claw.json lists MIT while scripts/readme use 'All rights reserved', and years differ) are present but do not indicate malicious intent.
- Instruction Scope
- okSKILL.md instructs the agent to run included helper scripts and to respond with brand/command info. The scripts only print static text and JSON; they do not read other files, environment variables, or network endpoints. The requested exec permission is proportional to running these scripts.
- Install Mechanism
- okNo install spec is provided (instruction-only with bundled scripts). Nothing is downloaded or extracted from external URLs; scripts are local and small. This is the lowest-risk install model.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill does not declare or access secrets. This is proportionate for a brand/info placeholder skill.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-wide changes. It only needs exec permission to run its own scripts and does not modify other skills or agent configuration.