Skillv1.0.0

ClawScan security

mo-test-1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 18, 2026, 4:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (create p5.js algorithmic art) matches its files and instructions; it requests no credentials, has no install step, and contains only client-side templates and guidance.
Guidance: This skill appears coherent and safe for generating p5.js art. Things to consider before installing: (1) The generated viewer.html loads p5.js and Google Fonts from public CDNs—if you require offline use or disallow external network requests, replace or vendor those libraries. (2) The SKILL.md enforces repetitive, high‑praise language about craftsmanship; expect the generated 'philosophy' text to include such phrasing. (3) As with any code templates, review the generated .js/.html before running them in production or exposing them to users (to ensure you are OK with the external resources and any UI/customization the template contains). No credentials or installs are required.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, and included templates (generator_template.js and viewer.html) are coherent: all material is about authoring p5.js generative art. There are no unrelated dependencies, credentials, or platform access requests.
Instruction Scope: okRuntime instructions are narrowly scoped to creating an 'algorithmic philosophy' and producing .md, .html, and .js artifacts for p5.js sketches. The instructions do not ask the agent to read system files, environment variables, or transmit data to external endpoints beyond producing the artifact. One stylistic note: the guidelines insist on repeatedly emphasizing 'master-level' craftsmanship in the philosophy, which is a content-generation quirk, not a security problem.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code fetched at install time. The included viewer.html references external CDNs (p5.js and Google Fonts) for runtime in the browser; this is expected for a web-based viewer template but means the rendered page will fetch third-party assets when opened.
Credentials: okNo required environment variables, credentials, or config paths are declared or used. The skill does not request secrets or access to other services.
Persistence & Privilege: okalways is false and the skill is user-invocable; autonomous invocation is allowed (platform default) but the skill does not request elevated or persistent system privileges or modify other skills' settings.