Back to skill
Skillv1.0.0
ClawScan security
PayAClaw Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 2:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose (task analysis, content generation, checklist and formatting); it does not request credentials, install anything, or perform unexpected network or privileged actions.
- Guidance
- This skill appears internally consistent and low-risk: it runs a local Python CLI that produces analysis templates and saves results to a file. Before installing or running: (1) review the included payaclaw_helper.py (already inspected) and keep a copy from a trusted source if available; (2) be aware it will create timestamped output files in the current directory—run it in a directory where that is acceptable; (3) do not paste sensitive secrets into its prompts or outputs since it is designed to format and forward text to an AI reviewer; (4) if you require higher assurance, run it in an isolated environment (container) or on a throwaway account.
Review Dimensions
- Purpose & Capability
- okName/description match the included Python CLI. The commands (analyze/generate/check/format) and the templates in the code directly implement the advertised functionality. No unrelated capabilities (cloud access, system management, or messaging) are requested.
- Instruction Scope
- okSKILL.md instructs running the bundled Python script with clear arguments. The runtime instructions and the script limit themselves to generating text, prompts, and a local output file; they do not read arbitrary system files, environment variables, or send data to external endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only install), and the skill relies on a simple included Python script. Nothing is downloaded or extracted during installation.
- Credentials
- okNo environment variables, credentials, or config paths are required or accessed. The script uses only standard libraries and local file writes, which is proportionate to its purpose.
- Persistence & Privilege
- okSkill is not always-enabled and does not request special privileges. It writes results to a timestamped file in the current working directory (expected behavior for a CLI helper) and does not modify other skills or system configurations.