Back to skill
Skillv1.0.0
ClawScan security
Dev Progress Governor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 9:58 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for commit-readiness, commit messages, and progress-log updates; its declared scope, inputs, and actions are coherent and proportionate with no unexpected installs or credential requests.
- Guidance
- This skill is instruction-only and appears low-risk: it will evaluate commits and suggest messages and progress-log entries, and by default appends to progress-log.md at the project root. Before installing or enabling it for autonomous runs, confirm the agent running the skill has access only to the intended repository (so it cannot read or modify unrelated files), and review any generated commit messages or log entries before using them to actually commit or push. If you prefer the log in a different location, override the default path to avoid accidental writes. No network access or credentials are required by the skill itself.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md responsibilities (commit readiness, messages, progress logs, blockers). The skill requires no binaries, env vars, or external services that would be unrelated to its stated purpose.
- Instruction Scope
- okRuntime instructions stay on-topic: evaluating steps, producing commit messages, and appending progress-log entries. The skill references only repository-local artifacts (changed files, progress-log.md) and does not direct data to external endpoints or request unrelated system files or credentials.
- Install Mechanism
- okNo install spec and no code files — instruction-only — so nothing is written to disk or downloaded during install. Lowest-risk install profile.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. Its needs are minimal and aligned with the described behavior.
- Persistence & Privilege
- okalways is false and autonomous invocation is allowed (platform default). The skill does not request persistent or elevated privileges and does not modify other skills or system-wide settings.