Back to skill
Skillv1.6.0
ClawScan security
Gorm Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 3:12 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, scripts, and runtime instructions are coherent with a GORM v2 best-practice / toolbox: it provides local Python helper scripts, Go dbcore libraries, and documentation without requesting unrelated credentials or hidden network installs.
- Guidance
- This skill appears to be what it claims: a local GORM assist toolset and a Go dbcore library. Before installing/using: 1) Inspect the Python scripts locally (they claim not to call external APIs), and prefer --dry-run or --format json in CI to avoid accidental writes. 2) When using init_project.py, bench_template.py, or any --output/--force flags, run in a sandbox or non-production checkout to avoid overwriting files. 3) The Go assets contain code that can auto-migrate DB tables (LeafSegmentGenerator auto-creates leaf_alloc, NewOrderModel may AutoMigrate when isMigrate=true). Do not run those parts against a production database without backups and review. 4) If you will run analyze_gorm.py in CI, validate its rule set and consider running it on a sample repo first. Overall the skill is coherent and doesn't request unrelated secrets — treat DB-migration and file-write operations with the usual operational caution.
Review Dimensions
- Purpose & Capability
- okName/description (GORM best practices, performance, multi-tenant, scaffolding, SQL→struct, etc.) match the included artifacts: Go assets (dbcore), Python helper scripts (analyze, gen_model, pool_advisor, etc.), and extensive references. There are no unexpected environment variables, binaries, or remote services declared that would be inconsistent with the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to prefer running local Python scripts on user-provided code/SQL and to return script outputs plus commentary. Scripts are described as Python 3.8+ only and claim not to call external APIs or require credentials. This scope is appropriate, but note: several scripts (init_project.py, bench_template.py) can write files when invoked with explicit flags (--output, --force). The SKILL.md does not instruct reading system secrets or unrelated files. Review scripts before running and prefer --dry-run when available.
- Install Mechanism
- okThere is no install spec and no network download/install in the manifest — the skill is instruction + local source files. All code is bundled in the skill (Go sources and Python scripts). No external URLs, package installations, or archive extraction steps are declared.
- Credentials
- okThe skill declares no required environment variables or credentials. Comments in the Go code mention optional patterns (e.g., reading SNOWFLAKE_NODE_ID from env) which are normal implementation notes but not required by the skill. Nothing in requires.env or primary credential is requested that would be disproportionate to a DB tooling / scaffolding skill.
- Persistence & Privilege
- noteThe skill is not always-on and does not request elevated platform privileges. However, functionality that writes to disk exists and is gated behind explicit flags (init_project.py --output / --force). Also, some Go library code (e.g., NewLeafSegmentGenerator) will AutoMigrate a leaf_alloc table when invoked in a running application — that is expected for a DB scaffolding/ID generator library but has real side effects if run against a production DB. Treat these operations as potentially destructive and run them intentionally and in safe environments.