Back to skill
Skillv1.0.0
ClawScan security
WhatsApp Forward · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 4:41 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (VCards, invite parsing, templates); it asks for no credentials, performs no network I/O, and only runs a small local Node.js script.
- Guidance
- This skill is a small local utility that runs a provided Node.js script to generate vCards, parse WhatsApp invite links, and show message templates. Before installing, ensure you are comfortable allowing the agent to run 'node' commands (Node.js must be available). The code contains no network calls or secret access, so it won't exfiltrate data or require credentials. If you want additional assurance, open scripts/forward.js yourself to review — it's short and human-readable.
Review Dimensions
- Purpose & Capability
- okName/description (vCard generation, invite parsing, forwarding templates) align with the included script: forward.js implements vcard, multi-vcard, parse-invite, and template commands and nothing else.
- Instruction Scope
- okSKILL.md only instructs running the provided Node script with explicit commands. The instructions do not ask the agent to read unrelated files, access environment variables, or transmit data externally.
- Install Mechanism
- okNo install spec (instruction-only). The included script is small, readable, and does not perform downloads or write to disk beyond normal execution. Low install risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths, which is proportional to its simple functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-wide changes. It simply runs a local script when invoked.