Skillv1.0.2

ClawScan security

Problem Solving · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 26, 2026, 12:32 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent with a structured troubleshooting methodology; it asks the agent to inspect logs, configs, and code (which is appropriate for diagnostics) and does not request unrelated credentials or installs.
Guidance: This skill is internally coherent and matches its stated purpose, but it is an instruction set for diagnosing problems — it will (and should) ask the agent to inspect logs, config files, and source code and may recommend or record changes. Before you enable it: 1) ensure you trust the skill owner (source/homepage is missing here); 2) restrict the agent's file access to only the systems/files needed for the diagnosis (least privilege); 3) require explicit user confirmation before the agent performs risky changes; 4) back up configs/data before following any execution steps the skill recommends; and 5) monitor and audit any files the skill writes (e.g., .learnings/). If you need higher assurance, review the full SKILL.md and README yourself or run the skill in a controlled/test environment first.
Findings: [NO_CODE_TO_SCAN] expected: The regex-based scanner had no code files to analyze because this is an instruction-only skill (SKILL.md + README). That outcome is expected for a methodology/document skill.

Purpose & Capability: okName/description match the content of SKILL.md: a general problem‑diagnosis methodology. There are no unexpected required binaries, env vars, or config paths that would be unrelated to the stated purpose.
Instruction Scope: noteThe SKILL.md explicitly instructs the agent to read logs, state files, configs, and source code and to run minimal reproduction experiments and possible changes (with rollback). Those actions are appropriate for diagnostic work but do require access to potentially sensitive files and may result in writing .learnings/ or other artifacts. This is within scope, but operators should be aware the skill expects file/system access and may recommend changes that need explicit user consent.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Lowest-risk install footprint (nothing is downloaded or written during install).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md's references to reading logs/configs are consistent with its purpose and do not imply hidden credential requirements.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent elevated privileges or modify other skills. It may advise writing local lessons (.learnings/) which is a modest, expected level of persistence.