Skillv0.1.0

ClawScan security

reflow-profile-compliance-toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 10:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only toolkit for extracting handbook limits and computing thermocouple-derived reflow metrics; its requirements and instructions are consistent with that purpose and it does not request credentials or install code.
Guidance: This skill is internally consistent and does not ask for credentials or install code, but it's instruction-only: (1) confirm the agent will only be given the handbook PDFs and MES/thermocouple data you intend it to see (do not supply unrelated sensitive documents), (2) review/fix the small implementation gaps (truncated r2 helper, unclear 'lex' usage) before relying on it for compliance decisions, and (3) test the computations on known test vectors to verify rounding, NaN handling, and tie-break behavior match your handbook/legal requirements.

Review Dimensions

Purpose & Capability: okName/description match the instructions: the SKILL.md explains how to extract limits from a reflow handbook and compute deterministic thermocouple metrics. There are no unrelated env vars, binaries, installs, or config paths requested.
Instruction Scope: noteInstructions stay on-topic (handbook parsing, deterministic slopes, TAL, peak, conveyor calculations, and stable tie-break rules). Two implementation-quality notes: (1) the SKILL.md appears truncated at the end (an r2 helper is incomplete) so rounding/NaN behavior is not fully specified; (2) a tie-break example uses an undefined helper 'lex' and a negation that is unclear—these are correctness/clarity issues, not evidence of malicious intent. The skill assumes access to handbook.pdf, MES, and thermocouple traces in the agent workspace; verify the agent's file-access policies before giving production data.
Install Mechanism: okNo install spec and no code files — instruction-only skills are lowest risk for installing arbitrary code. Nothing is downloaded or written by the skill specification itself.
Credentials: okThe skill declares no environment variables, credentials, or config paths. That is proportionate to the stated purpose of processing handbook PDFs and thermocouple traces.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request permanent presence or modify other skills/configs. Autonomous invocation is allowed by platform default but not a red flag here given the narrow scope.