Skillv1.0.0

ClawScan security

Prototype Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 9:53 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required resources, and behavior are coherent for a prototype-generator: it scans the project, infers list-page structure, and generates HTML/JS/SQL artifacts; it requests no credentials or installs and appears consistent with its stated purpose.
Guidance: This skill will read files in your project folder to detect framework style and will create/modify files (menu.js, view_*.html, mock-ui.js, optional sql/*.sql or standalone HTML). That behavior is expected, but: (1) run it only in a workspace you control or back up the repo first to avoid unintended overwrites; (2) review generated code before deploying — prototypes may include simplistic mock data and lack security hardening; (3) the skill has no external installs or credential access, so no secrets are required, but confirm the agent asks clarifying questions about output paths/framework preferences before making changes.

Purpose & Capability: okName/description match the runtime instructions: detecting project files and producing menu/view/mock files or standalone HTML is consistent with generating admin/list prototypes. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteSKILL.md instructs the agent to scan the project workspace (look for kfk-mock-ui.js, KFK.mountListPage, kfk-admin.css, etc.), infer fields, and write generated files (menu.js, view_*.html, mock-ui.js, optional sql/*.sql). This is expected for source-aware code generation, but it means the agent will read repository files and write new files (possibly overwriting). Confirm backup/permission expectations with the user before running.
Install Mechanism: okInstruction-only skill with no install spec and no external downloads. No code is written to disk by an installer step beyond the agent performing generation as described.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md does not reference secrets or unrelated environment variables — requested access is proportional to its purpose.
Persistence & Privilege: okalways:false and user-invocable; the skill does not request persistent platform privileges or modification of other skills. It will create files within the project scope as part of its function, which is appropriate for a generator.