Back to skill
Skillv1.0.0
ClawScan security
RedHat Frontend Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 1:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources and runtime instructions are coherent with its stated purpose of scaffolding frontend projects; there are a few minor metadata and documentation mismatches to verify before use.
- Guidance
- This skill appears coherent for scaffolding frontend projects, but do these checks before installing or running it: 1) Verify the skill origin — registry metadata owner ID (kn741...) differs from the internal _meta.json ownerId (redhat-agent-001) and there's no homepage/source link; prefer skills with a clear publisher and repo. 2) Decide which environment variables (e.g., API_BASE_URL) you will provide; the SKILL.md references env usage but does not declare names. 3) When the agent scaffolds files, review the generated code (especially the API client and any server proxy guidance) to ensure no secrets are embedded and endpoints are as expected. 4) Because this is instruction-only, it will create files in whatever working directory the agent runs in — run it in a controlled sandbox or repo to avoid accidental overwrites. If you want higher assurance, ask the skill author for a repository or example output to inspect before trusting it in production.
- Findings
[no-findings] expected: The regex-based scanner had no code files to analyze (instruction-only skill). This is expected; absence of findings does not imply safety — review SKILL.md as primary signal.
Review Dimensions
- Purpose & Capability
- okThe name/description (frontend scaffolding, safe API integration, quality gates) matches the instructions (scaffold project structure, API client layer, lint/tests/build). There are no unexpected credentials, binaries, or installs required for this purpose.
- Instruction Scope
- noteInstructions are scoped to creating project files, adding a client API layer, accessibility guardrails, tests, and build validation — all consistent. Minor gap: the SKILL.md states the API client's base URL should be provided 'via env' and that outputs include 'notes about env vars', but the skill does not declare any specific required env var names. Also the runtime instructions expect writing files in a 'target directory' (normal for a scaffolder) — confirm the agent has the intended working directory and permissions.
- Install Mechanism
- okInstruction-only skill with no install spec or code to download; this is low risk and expected for a scaffolding/instruction skill.
- Credentials
- noteThe skill requests no credentials or config paths (proportionate). It does reference using environment variables for base URL and notes about env configuration, but does not declare specific env vars — this convenience gap is a documentation mismatch rather than a secret-exfiltration risk. No secrets are requested or embedded by the skill itself.
- Persistence & Privilege
- okalways is false, the skill is user-invocable and may be invoked autonomously (platform default) but it does not request persistent system-wide changes or modify other skills/configs. Expected privilege level for a scaffolder.