Context Verifier
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you or your agent provide a sensitive path or broad glob, the skill may read files you did not mean to include.
The skill intentionally accepts arbitrary user-provided file paths for hashing and verification. This is purpose-aligned, but broad paths or globs could cause unintended local file reads.
the skill will read ANY file path you provide to `/cv hash`, `/cv verify`, or `/cv packet`
Use precise file paths, avoid broad globs, and do not run it on secrets or credential files unless you intentionally want them checked.
Sensitive content could remain in your workspace if you use include-content on confidential files.
The skill creates persistent context packets, and an optional flag can store actual file contents. This is disclosed and purpose-aligned, but persistent outputs can retain sensitive data.
Results are written to `output/context-packets/` in your workspace ... `--include-content` flag stores file contents to disk.
Leave include-content disabled for sensitive files, review generated packets before sharing them, and delete packets that contain private data.
There is no artifact-backed evidence of unsafe install behavior, but provenance is not fully established in the supplied metadata.
The supplied registry information does not identify a verified source, although the artifact itself contains no executable install mechanism or code files.
Source: unknown ... No install spec — this is an instruction-only skill.
Install only from a trusted registry entry or verified repository, especially if you rely on it for integrity-sensitive workflows.