v1.0.0

cpp-pro

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:37 AM.

Analysis

This instruction-only C++ skill is mostly aligned with programming help, but it includes a canned completion message that could falsely claim major performance and safety results.

GuidanceBefore installing, be aware that this is an instruction-only C++ assistant with no declared code or dependencies. It is suitable for development help, but do not accept unverified claims such as 10x performance improvement or zero undefined behavior unless the agent shows the actual tests, benchmarks, and commands used.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Implement solutions following C++ Core Guidelines and modern best practices

The skill is intended to modify or produce C++ project code, which is expected for a developer skill but should be reviewed before applying changes to a real codebase.

User impactIf granted file or command access, the agent may change source files or build configuration as part of normal C++ development work.

RecommendationReview proposed code and build-system changes before accepting them, especially in production or safety-critical projects.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

AddressSanitizer and UBSan clean; Test coverage with gcov/llvm-cov; Static analysis with cppcheck; Valgrind memory check passed

These quality checks are normal for C++ development, but running builds, tests, sanitizers, coverage, or Valgrind can execute project code if the host agent has command access.

User impactNormal use may involve compiling and running local project tests or benchmarks, which can have side effects if the project code or build scripts are unsafe.

RecommendationOnly allow command execution in trusted repositories or after reviewing build and test commands.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Delivery notification: "C++ implementation completed. Delivered high-performance system achieving 10x throughput improvement... All sanitizers pass, zero undefined behavior."

The skill prescribes a highly specific success message, including benchmark and safety claims, regardless of whether those results were actually achieved.

User impactA user could be misled into trusting that major performance gains, sanitizer results, and absence of undefined behavior were verified when they may not have been.

RecommendationRequire the agent to report only results actually measured in the current task, with commands run, test output, and any limitations clearly stated.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

Query context manager for existing C++ project structure and build configuration

The skill relies on retrieved project context. That is useful and purpose-aligned, but stale or poisoned context could influence code recommendations.

User impactIncorrect stored project context could lead the agent to make inappropriate assumptions about files, build settings, or architecture.

RecommendationEnsure project context is current and do not treat stored context as more authoritative than the actual repository contents.