Skillv1.0.0

ClawScan security

Ui Control Center · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 10:41 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This instruction-only skill is internally consistent with its stated purpose (local UI maintenance) and does not request extra credentials or installs, though its runtime instructions are a bit high-level and should be implemented carefully.
Guidance: This skill is coherent and low-risk as written, but it is only a set of runtime instructions — there is no implementation included. Before installing or allowing autonomous execution, ask for the actual code or implementation plan and confirm: (1) port-conflict handling will not kill unrelated processes or exfiltrate data, (2) the server truly binds to 127.0.0.1, and (3) logs/audit data remain local or are handled per your policy. If you plan to let an agent act on these instructions autonomously, require explicit, limited implementations for any system-level checks (e.g., only probe the specific port, do not run broad process inspectors) and review them first.

Purpose & Capability: okName/description match the SKILL.md checklist: managing a local Agent Control UI, cache-busting, dashboard/tabs, and avoiding port conflicts on 8765.
Instruction Scope: noteInstructions are narrowly scoped to UI maintenance and include sensible safety rails (bind to 127.0.0.1, avoid blocking event loop). However they are high-level (e.g., “ensure only one server listens on 8765”) and leave implementation choices open; depending on how the agent implements this it could require inspecting system sockets or killing processes — request concrete implementation details or limits before granting runtime privileges.
Install Mechanism: okNo install spec and no code files — lowest risk from installation. Nothing will be downloaded or written by the skill itself as provided.
Credentials: okNo environment variables, credentials, or config paths requested; access expectations are minimal and proportional to the stated local UI task.
Persistence & Privilege: okSkill is not always-enabled and remains user-invocable. It does not request system-wide configuration changes or permanent presence.