Back to skill
Skillv1.0.0
ClawScan security
research Decision · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 4:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only research assistant that asks the agent to perform bilingual web searches, check docs/issues, and optionally run local version/dependency checks — its requested capabilities align with its stated purpose and it does not request unexpected installs, credentials, or persistent privileges.
- Guidance
- This is an instruction-only research/triage skill that will make web queries and, when relevant, run lightweight local checks (version/dependency commands) to validate findings. It does not ask for credentials or install software. Before enabling: decide whether you are comfortable with the agent reading your local development environment (package lists, tool versions) and browsing the web; avoid entering secrets into prompts; review any links/results the agent returns before acting on them. If you need to prevent local commands, restrict the agent's execution rights or instruct it not to run commands.
Review Dimensions
- Purpose & Capability
- okName/description (internet research, decision-making, triage) match the SKILL.md instructions (bilingual searches, official docs, GitHub issues, cross-validation, produce sources). It sensibly suggests lightweight local checks (e.g., --version, npm list) which are relevant to version/compatibility tasks.
- Instruction Scope
- noteInstructions direct the agent to perform web searches and to run quick local verification commands (version/dependency checks) when relevant; this is within scope for troubleshooting/decision tasks. Note: the SKILL.md gives broad discretion on what to check and instructs the agent to 'run commands' — this could result in reading local package metadata or running CLI tools, so users should expect local environment access during execution.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Low risk: nothing is written to disk or downloaded by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The local checks it suggests (e.g., --version, npm list, pip list) are proportional to its troubleshooting purpose and do not require additional secrets or external credentials.
- Persistence & Privilege
- okalways is false and it does not request persistent presence or modify other skills. Agent autonomous invocation is allowed by default (normal) but not elevated by the skill.