Back to skill
Skillv0.1.0
ClawScan security
Ai Coach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 3:07 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only personal coaching skill whose declared capabilities and runtime instructions are consistent with its description and it does not request credentials or install code.
- Guidance
- This skill appears coherent and low-risk: it is instruction-only, asks for no credentials, and its behavior (goals, check-ins, motivation) matches its description. Before installing, consider: 1) the source is unknown — prefer skills from trusted publishers; 2) optional config env vars shown in SKILL.md are harmless unless you set them (the skill may read them if present); 3) the skill mentions integrations with other skills — review those other skills' permissions and required credentials before connecting them; and 4) if you plan to allow autonomous invocation in agents, test the skill with minimal access first. If you want higher assurance, ask the publisher for a homepage or source repository to review implementation details.
Review Dimensions
- Purpose & Capability
- okName/description (AI coach) match the SKILL.md capabilities, commands, and examples. There are no unexpected required binaries, credentials, or config paths for the stated coaching functionality.
- Instruction Scope
- noteSKILL.md contains only coaching flows, example commands, example environment configuration variables (COACH_CHECKIN_TIME, COACH_WEEKLY_DAY, COACH_PERSONALITY) and mentions integrations with other skills. It does not instruct the agent to read arbitrary system files or external endpoints. Note: the example env vars are not declared as required in the registry metadata — they appear to be optional configuration knobs.
- Install Mechanism
- okNo install spec and no code files (instruction-only). Nothing will be written to disk or downloaded at install time.
- Credentials
- noteRegistry lists no required env vars or credentials. SKILL.md shows optional config env examples; these are reasonable for a coach but are not enforced. The skill references integrations (habit-tracker, task-manager, etc.) but does not request tokens or describe integration mechanisms — if you enable integrations, verify those skills' permissions.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. There is no evidence it requests permanent presence or modifies other skills or system settings.