Skillv1.0.1

ClawScan security

Task Weight Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 2:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and included files are consistent with its stated purpose (managing weighted conversation threads); it only writes small workspace templates and does not request unrelated credentials or install arbitrary code.
Guidance: This skill appears coherent and low-risk: it classifies threads, keeps a mainline, and optionally writes small template files in your current workspace. Before installing, note that: (1) the included Python script will create task-weight-manager/threads.md and related templates in whatever directory the agent runs in — if you don't want files created, run in an empty or controlled folder or inspect the script first; (2) the references discuss optional cron/heartbeat and external automation that could later require you to supply LLM or service credentials — the skill itself does not request those, but any automation you add will; (3) verify python3 is on PATH if you want to use the bootstrap. If you plan to enable periodic automation or external helpers, review those components and any credentials they need before enabling them.

Review Dimensions

Purpose & Capability: okName/description (focus/weight manager for interleaved chat threads) match the files and instructions. Requiring python3 is reasonable because a small bootstrap script is included to create workspace templates; no unrelated binaries, env vars, or config paths are requested.
Instruction Scope: noteSKILL.md stays inside the stated domain: classifying recent turns into threads, maintaining a threads.md board, handling interrupts, and optionally using cron/heartbeat for periodic checks. It does advise periodically re-reading recent turns and saved board files (task-weight-manager/threads.md) — which is expected — and suggests external automation (cron/gateway) that, if implemented by a user, could introduce additional network/credential requirements. The skill itself does not instruct reading unrelated system files or exfiltrating data.
Install Mechanism: okNo install spec and no remote downloads. The only executable artifact is a small local Python script that copies template files into the current workspace; nothing is fetched from external URLs or written into system locations.
Credentials: okThe skill declares no required environment variables or credentials. Although integration notes mention calling an LLM or external service for full automation, the skill does not demand keys itself — any such credentials would be supplied later by user-chosen automation and are therefore proportional.
Persistence & Privilege: okalways:false (no forced always-on). The skill may persist a small human-readable board under task-weight-manager/threads.md if workspace files are allowed; this is proportional to its function and the included bootstrap_script facilitates only template creation in the current workspace.