Back to skill
Skillv1.0.0
ClawScan security
Python Mutable Default Args · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 2:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only guide about Python mutable default-argument bugs; its claims, required resources, and instructions are coherent and proportionate.
- Guidance
- This skill is a harmless, text-only explanation of a Python coding pitfall and how to fix it. It requires no install, no credentials, and does not instruct the agent to read or transmit files. You can safely enable or use it to get guidance on mutable default arguments. If you plan to act on its suggestions, consider enabling linters (pylint/ruff) and running a repository-wide search for patterns like '=[]', '={}', and '=set()' to find instances to fix. If you want stricter assurance, review the SKILL.md yourself — it contains all runtime instructions and performs no external actions.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md content. The skill only explains a common Python pitfall and remediation; it requests no binaries, credentials, or config that would be unrelated to that purpose.
- Instruction Scope
- okInstructions are limited to explaining the bug, showing safe code patterns, suggesting heuristics for searching code (signatures like '=[]', '={}', '=set()'), and recommending linters (pylint/ruff). The skill does not instruct the agent to read system files, access environment variables, or transmit data externally.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). Nothing will be written to disk or executed by an installer as part of installing this skill.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. No sensitive access is required to accomplish the stated purpose.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; autonomous invocation is allowed (platform default) but the skill's instructions are benign and do not require elevated or persistent system privileges.