Back to skill
Skillv1.0.0
ClawScan security
vitepress-config-optimization · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 12:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only VitePress documentation/utility skill whose files and runtime instructions are consistent with its name and purpose and do not request unrelated credentials or perform suspicious actions.
- Guidance
- This package is documentation and examples for VitePress and appears internally coherent. It does not itself require credentials or install code. Things to keep in mind before using: (1) examples show npm install commands — running them will modify your environment and install packages you should review; (2) several examples show fetching CMS APIs or loading env tokens — only provide API keys to integrations you trust and avoid placing secrets in public repos or CI without least privilege; (3) the package source/homepage is unlisted here — if you need provenance, prefer official docs at https://vitepress.dev/ or install VitePress from the official npm package. If you want deeper assurance, ask the publisher for a homepage or compare these files against the official VitePress docs.
Review Dimensions
- Purpose & Capability
- okThe skill name/description (VitePress config/tooling) matches the provided SKILL.md and included reference files. All examples, CLI commands, and config samples are relevant to VitePress site configuration, theming, routing, data loading, SSR, and deployment.
- Instruction Scope
- noteSKILL.md is an instructions-and-doc bundle that shows npm/pnpm/yarn commands and config examples. Some reference examples show fetching CMS data (fetch('https://my-cms-api') with a token) and using loadEnv for API tokens — these are illustrative and not instructions to read arbitrary local secrets. The instructions do not direct the agent to read unrelated system files or exfiltrate data.
- Install Mechanism
- okNo install spec or code files that would be downloaded/executed. This skill is instruction-only (lowest install risk).
- Credentials
- noteThe skill declares no required environment variables or credentials. Some examples mention loadEnv and API tokens in the context of CMS integrations (illustrative). No credentials are requested by the skill itself.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal model invocation allowed. The skill does not request elevated or permanent presence or modify other skills/configs.