Back to skill
Skillv0.1.0
ClawScan security
Wb Troubleshooter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 9:44 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and requirements match its stated purpose (a simple Western Blot troubleshooting CLI); there are minor documentation mismatches but no evidence of hidden network, credential access, or excessive privileges.
- Guidance
- This skill appears coherent and low-risk: the Python script simply matches a symptom string to a small built-in knowledge base and prints advice. Before installing or running, you may want to (1) open and review scripts/main.py yourself (it is short and readable) to confirm no network or file I/O was introduced, (2) run it in a sandbox or isolated environment if you prefer, and (3) be cautious if the SKILL.md or script changes in future—the documentation currently overstates file I/O and script execution risk even though the shipped code does not perform those actions.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and the included Python script are consistent: a local troubleshooting tool that accepts a symptom and prints likely causes and solutions. No unexpected binaries, credentials, or external services are requested.
- Instruction Scope
- noteSKILL.md refers to 'Python/R scripts executed locally' and 'File System Access: Read input files, write output files', and lists many security checklist items. The bundled Python script, however, only parses CLI args and prints results; it does not read/write files or perform network calls. This is an inconsistency in documentation (overstated risk) rather than an actual code behavior, but you should confirm the distributed script before running in a sensitive environment.
- Install Mechanism
- okNo install spec is provided (instruction-only style with a bundled script). Nothing is downloaded or extracted at install time, so the install surface is minimal.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not access env vars or secrets. Requested access is proportionate to the described functionality.
- Persistence & Privilege
- okNo 'always: true' flag, no system-wide configuration modifications, and the skill does not persist credentials or install background services. Autonomous invocation is allowed by default but is not combined with other privileges here.