Skillv0.1.0

ClawScan security

Code Documenter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 2:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only documentation specialist whose requirements and instructions are consistent with its stated purpose; it does not request credentials or install software, but exercise normal caution when allowing it to read or run your code/examples.
Guidance: This skill appears coherent for generating and improving documentation. Before installing or invoking it: (1) Only grant it access to the project files you want documented — don't expose system-wide files. (2) Do not paste real API keys, private keys, or production secrets into prompts or code examples; use placeholders instead. (3) Be aware that the skill's guideline to 'test code examples' could imply executing code — run tests in an isolated/sandboxed environment if you allow execution. (4) Review any automated edits or generated docs before committing them to your repository. If you need the skill to run code or access CI/credentials, require an explicit, auditable workflow and temporary credentials scoped to test environments.

Purpose & Capability: okName/description (code documentation, API docs, doc sites) match the packaged content: a large SKILL.md and framework-specific reference docs. The skill requests no binaries, env vars, or installs — which is proportionate for a purely advisory/document generation skill.
Instruction Scope: noteRuntime instructions describe discovering format, detecting language/framework, finding undocumented code, documenting it, and testing examples. Reading and analyzing a codebase is expected for this skill, but 'Test code examples in documentation' can imply executing code or requiring runtime environment details; the skill text itself does not instruct indiscriminate reading of unrelated system files or exfiltration.
Install Mechanism: okNo install spec and no code files to execute — this is the lowest-risk pattern for skills. Everything is instruction-only documentation and references.
Credentials: noteThe skill does not declare any required environment variables or credentials. Several example snippets in the reference files show use of API_KEY or PRIVATE_KEY in examples (placeholders). Those are normal examples but could encourage providing secrets to test examples — only provide secrets if you intend the agent to run code in a trusted, isolated environment.
Persistence & Privilege: okalways is false, agent invocation is normal, and the skill does not request persistent system-wide privileges or modify other skills' configs.