v1.0.0

csharp-developer

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:38 AM.

Analysis

This is mostly a normal instruction-only C# development skill, but it includes a hard-coded delivery message that could make unverified performance and security claims.

GuidanceThis skill appears suitable for C#/.NET development help, but do not accept its final claims at face value. Ask it to show actual test, audit, benchmark, and coverage results before trusting statements about security, performance, or quality.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceMediumStatusNote

SKILL.md

Review .csproj files, NuGet packages, and solution architecture ... Implement solutions leveraging modern C# features and .NET best practices

The skill directs the agent to inspect project files and implement changes. That is expected for a developer skill, but users should ensure edits are limited to the intended repository and task.

User impactThe agent may make project-level code or configuration changes when used with editing tools.

RecommendationUse the skill only in the intended workspace and review proposed or applied code changes before committing or deploying them.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown; Homepage: none

The skill has limited provenance metadata. This is lower risk because it is instruction-only and has no install spec or code files, but users cannot easily trace the source.

User impactUsers have less information for judging who authored or maintains the skill.

RecommendationPrefer skills with clear source and homepage metadata when provenance is important.

Unexpected Code Execution

SeverityLowConfidenceMediumStatusNote

SKILL.md

Quality checklist: ... Tests passing ... Performance verified ... Security scan clean ... NuGet audit passed

The workflow implies test, profiling, scan, or audit activity. Those activities are normal for .NET development, but they can execute or analyze project code if the host provides such tools.

User impactRunning tests or profiling in an existing project can have side effects if the project itself contains unsafe test hooks or scripts.

RecommendationApprove execution-related steps deliberately, especially in unfamiliar repositories.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Delivery message: ".NET implementation completed. Delivered ASP.NET Core 8 API with Blazor WASM frontend, achieving 20ms p95 response time... comprehensive tests (86% coverage), and AOT-ready configuration reducing memory by 40%."

The skill provides a polished completion message with specific performance, coverage, security, and memory claims. If repeated without measured evidence, it could cause users to overtrust the result.

User impactA user might believe performance, coverage, or security were verified when they were not.

RecommendationRequire the agent to report only measurements it actually performed, include commands/results, and avoid fixed success metrics unless verified.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Query context manager for existing .NET solution structure and project configuration

The skill relies on retrieved context about the project. Such context can be stale or incorrect, so it should be checked against actual project files.

User impactIncorrect stored context could lead the agent to make wrong assumptions about the project.

RecommendationHave the agent verify context against repository files before making changes.