Skillv1.0.2

ClawScan security

Spikecv Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 8:25 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only help document for the SpikeCV project and its required actions (git clone, pip install, run CLI, download datasets) are coherent with that purpose.
Guidance: This is documentation for using SpikeCV and is internally consistent, but take normal precautions before following its install/run steps: 1) Verify the GitHub repo and maintainer (https://github.com/Zyj061/SpikeCV) and prefer installing a pinned commit or release rather than an unpinned master branch. 2) Inspect the repository (setup.py/pyproject.toml, CLI code) before pip installing—pip install from a repo runs install-time Python code. 3) Run installs and dataset downloads in an isolated environment (conda env, virtualenv, or container), avoid installing as root. 4) Expect network traffic (git clone, pip downloads, dataset fetches) and ensure it's acceptable for your environment. 5) If you need stronger assurance, review the repository code or run it in an offline sandbox first. If you cannot verify the upstream source, do not install.

Review Dimensions

Purpose & Capability: okName, description and included references all match a helper for the SpikeCV repo: instructions focus on cloning the project, installing the Python package, using the spikecv CLI, and downloading SpikeCV datasets. Requested artifacts (none) and files present are consistent with documentation-only skill.
Instruction Scope: noteSKILL.md instructs the agent to run git clone, pip install .[cli], and spikecv CLI commands (including dataset downloads). These actions are within the stated purpose, but they do cause network fetches and execution of third-party Python package install scripts (normal for installing a Python library). No instructions ask the agent to read unrelated system files, environment variables, or exfiltrate data.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only). The skill recommends pip installing directly from the GitHub repo and optionally installing Miniconda via official mirrors. Fetching and installing code from GitHub is expected for this purpose but does execute upstream package install code (setup/pyproject). This is proportionate but the user should be aware of the general risk of running third-party installers.
Credentials: okThe skill declares no required environment variables, binaries, or config paths. The documented actions do not require unrelated credentials or secrets. Dataset downloads and repo access are the only network operations described and are appropriate for the stated functionality.
Persistence & Privilege: okalways is false and the skill is user-invocable/autonomous-invocation enabled (platform default). The skill does not request permanent agent-level privileges or modify other skills. No concerning persistence behavior is present in the documentation.