Back to skill
Skillv0.1.0
ClawScan security
tldr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 4:54 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper that expects the local tldr binary and its behavior and requirements align with the stated purpose; nothing here requests excess permissions or secrets.
- Guidance
- This skill is coherent and low-risk: it simply tells the agent to run your system's tldr command. Before installing, ensure you have tldr installed from a trusted package source (your distro's packages or the official tldr project), understand that `tldr --update` will download content from the network, and note the skill's listed provenance is weak (missing homepage and a metadata ownerId mismatch). If you need complete, authoritative command documentation, prefer man or --help for critical operations rather than always using tldr.
Review Dimensions
- Purpose & Capability
- noteThe skill name/description match the declared requirement (the tldr binary). However, provenance is weak: source/homepage are missing and the _meta.json ownerId differs from the registry ownerId, which reduces traceability though it does not change functionality.
- Instruction Scope
- noteSKILL.md directs the agent to use the local tldr command and to prefer it over man/--help. This is within scope. Be aware tldr --update will fetch content from upstream (network activity) and tldr pages are intentionally concise and can omit full option detail—so always preferring tldr may omit important information.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only and relies on an existing tldr binary. This is low-risk from an install perspective.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. Nothing here asks for secrets or unrelated service access.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence or modify other skills. Autonomous invocation is allowed (platform default) but not by itself a red flag.