Back to skill
Skillv1.0.0
ClawScan security
RedHat Code Refactor Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 2:53 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only refactoring guide that is internally consistent with its stated purpose and does not request unrelated credentials, installs, or privileged persistence.
- Guidance
- This skill is a text-only refactoring procedure and appears coherent. Before enabling it, note that it will need access to your codebase and test tooling to run the validation steps — review and run any proposed diffs/commits yourself, ensure tests exist or add characterization tests, and confirm the project has the appropriate test runner (the example shows pnpm). Because the skill can be invoked by the agent, avoid granting it credentials or network access it doesn't need, and require human review of actual code changes or merges. If you need higher assurance, run the agent in a sandboxed environment and require pull-request-based workflows so changes are reviewed before merging.
Review Dimensions
- Purpose & Capability
- okName/description (refactor code safely) align with the content: the SKILL.md contains step-by-step refactoring instructions, validation guidance, and expected outputs. Nothing requested (no env vars, no binaries, no installs) is disproportionate to this purpose.
- Instruction Scope
- okRuntime instructions are limited to code-refactoring workflows: run tests, add characterization tests, make small commits/patches, and re-run validation. The instructions imply access to the target repository/files and test runner (expected for a refactor tool) and do not ask for unrelated system files, credentials, or external endpoints.
- Install Mechanism
- okThere is no install spec and no code files — the skill is instruction-only, so nothing is written to disk or downloaded during install.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. The example mentions running 'pnpm test', but that is an example command (not a declared requirement) and is proportional to the task of validating refactors.
- Persistence & Privilege
- okThe skill does not request 'always: true' or any persistent privileges, nor does it modify other skills' configs. Autonomous invocation is allowed by default on the platform but is not combined here with broad access.