Skillv1.0.0

ClawScan security

Answer Box · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 9:32 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent: it locally returns one of 60 canned positive replies at random, requests no credentials, and performs no network or filesystem access.
Guidance: This skill is low-risk: it returns a locally stored random encouraging phrase and does not contact external servers or request credentials. It should not be relied on for professional advice. If you plan to use it in team settings, consider whether canned, non-customized replies are appropriate and whether you need content moderation for sensitive contexts. If you require deterministic behavior or logging, check how your platform runs the skill (it currently prints a single JSON output).

Purpose & Capability: okName/description (warm, positive one-line suggestions) match the provided implementation: a 60-entry local reply list and random selection. No unrelated capabilities or credentials are requested.
Instruction Scope: okSKILL.md instructs simple invocation and local random reply. The runtime code only reads optional CLI JSON args (ignored) and selects one canned reply — it does not read user files, environment variables, or send data externally.
Install Mechanism: okNo install spec is provided (instruction-only style) and no downloads/install steps exist in the bundle. The included Python script is self-contained and does not fetch external code.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code does not access secrets or external services, so requested privileges are proportionate (none).
Persistence & Privilege: okalways is false and the skill does not modify system or other-skill configuration. Autonomous invocation is allowed by default on the platform but this skill's behavior is stateless and local.