Back to skill
Skillv1.0.0
ClawScan security
harmonyOS developer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 3:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only HarmonyOS/ArkTS developer guide that is internally consistent with its stated purpose and does not request unrelated credentials or perform installs.
- Guidance
- This skill is a text-only developer guide and appears coherent for HarmonyOS/ArkTS development. Before using: (1) confirm you trust the skill/source since source/homepage are unknown; (2) never paste real private keys or .p12 passphrases into public chats — keep signing certificates private and use official DevEco tooling; (3) when following network examples, replace placeholder URLs with trusted endpoints; (4) if the skill is later updated to include an install script or code files, re-evaluate for downloads, unexpected URLs, or requests for credentials.
Review Dimensions
- Purpose & Capability
- okThe name and description claim HarmonyOS/ArkTS development guidance; the SKILL.md contains ArkUI components, state management, routing, network, storage, permissions, and signing instructions — all expected for this purpose. The skill requests no binaries, environment variables, or installs that would be out-of-scope. Note: the skill's source/homepage are unknown, but the content itself matches the stated purpose.
- Instruction Scope
- okThe instructions are limited to development guidance (code samples, SDK APIs, permission declarations, signing steps). They do not instruct the agent to read arbitrary host files, access unrelated environment variables, or transmit sensitive agent data to external endpoints. Network examples use a placeholder domain (api.example.com).
- Install Mechanism
- okThere is no install specification and no code files — this is instruction-only, so nothing is written to disk or fetched at install time. That is the lowest-risk install profile.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md references typical development artifacts (module.json5, .p12 signing certificate) that are expected for app signing and are proportional to the described tasks.
- Persistence & Privilege
- okalways is false and disable-model-invocation is false (normal). The skill does not request persistent system presence or modify other skills' configuration. As an instruction-only skill it has no privileged install-time behavior.