Skillv1.0.0

ClawScan security

Agent Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 9:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, templates, and runtime instructions are consistent with its stated purpose (creating and packaging agent identity files); there are no unexplained credential requests, remote downloads, or installs — but review the generated files and follow local security practices before deploying to a production agent.
Guidance: This skill appears coherent for creating and packaging agent identity files and does not request credentials or perform remote installs. Before using it: (1) review the generated SOUL.md / AGENTS.md / IDENTITY.md contents to ensure they don't instruct the agent to access or exfiltrate sensitive files; (2) be cautious about the AGENTS.md line 'Don't ask permission. Just do it.' — consider editing it to require user consent for external or sensitive actions; (3) inspect the produced .skill ZIP before publishing to ClawHub; (4) only run the documented systemctl restart steps if you have proper access and have tested in a safe environment; and (5) avoid uploading to public registries until you’ve validated the skill contents for your security/privacy requirements.

Review Dimensions

Purpose & Capability: okName/description, templates (SOUL.md, IDENTITY.md, AGENTS.md), and scripts all align with building and packaging an agent identity .skill file. The presence of local packaging scripts is expected for this task. No unrelated environment variables, binaries, or external services are required by the skill itself.
Instruction Scope: noteSKILL.md instructs the user/agent to generate templates, package a .skill, optionally publish with the clawhub CLI, and copy files into agent workspaces, including restarting the gateway. The AGENTS.md template explicitly tells an agent to read workspace files (SOUL.md, USER.md, memory/*.md) — which is expected for an identity package — but also contains a concerning phrase ('Don't ask permission. Just do it.') that encourages the agent to act without consent. The restart/systemctl steps are documented as manual/administrative actions; they are within scope but require local privileges and caution.
Install Mechanism: okNo install spec, no network downloads, and packaging uses only local Python scripts and the stdlib (zipfile, tempfile). The packager includes reasonable checks (no symlink following, avoids packaging files outside the skill root). No high-risk install behavior found.
Credentials: okThe skill declares no required env vars, no primary credential, and the code does not attempt to read credentials or call external APIs. quick_validate has a fallback YAML parser to avoid hard dependency on PyYAML, which is benign. There are no requests for unrelated secrets or config paths.
Persistence & Privilege: notealways is false and the skill is user-invocable (normal). The skill does not request persistent or system-wide privileges. However, SKILL.md advises restarting system services (systemctl) when applying identity changes — this is a normal administrative operation but requires user privileges and care. The AGENTS.md guidance to 'Don't ask permission' increases risk if an agent follows it autonomously.