Skillv1.0.0

ClawScan security

PLS Website Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 22, 2026, 11:13 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions match its stated purpose (website health audits); it is an instruction-only skill that performs network checks and local tool invocations and does not ask for credentials or unrelated access.
Guidance: This skill appears coherent for performing website audits. Before running it, be aware that: (1) the scripts and commands will make network requests to the target site and may recursively crawl links — only audit sites you own or have permission to test; (2) npx and pip commands in the instructions will download and execute third‑party packages at runtime — review those packages or run the skill in a sandboxed environment if you have supply-chain concerns; (3) no credentials are requested, so the skill cannot access protected resources unless you explicitly provide credentials later. If you need stricter controls, ask the publisher for an explicit install spec with vetted package versions or run the provided scripts in an isolated VM/container.

Review Dimensions

Purpose & Capability: okName/description (website performance, broken links, security headers, accessibility, SEO) align with the instructions and example commands/scripts provided. Required resources (none declared) are consistent with a tool that uses standard CLI tools and small Python scripts to fetch and analyze pages.
Instruction Scope: noteSKILL.md stays on-topic: it instructs the agent to fetch pages, parse HTML, check headers, run lighthouse/web-vitals, and run openssl for cert checks. It does not instruct reading unrelated local files or asking for unrelated secrets. Note: the instructions include commands that will download/run third-party tooling at runtime (npx, pip install) and perform recursive crawling of same-origin links — this is expected for a site-audit but does have side effects (network requests, package installs).
Install Mechanism: noteThere is no install spec (instruction-only), which is low baseline risk. However the instructions rely on runtime package installs/usage (npx lighthouse/web-vitals, pip install LinkChecker), which will fetch and run code from public registries when executed; this is expected for such audits but increases runtime trust requirements.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. All proposed operations (HTTP(S) requests, header checks, crawling) do not require additional secrets, so the lack of requested secrets is proportionate.
Persistence & Privilege: okalways is false and the skill does not request persistent or system-wide configuration. It does not attempt to modify other skills or agent settings in the provided instructions.