Skillv0.0.4

ClawScan security

ANSIClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 5:11 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requirements line up: it talks to a local Clawbius REST API to draw ANSI art, requires no credentials, and only writes image/ANS files to user home folders.
Guidance: This skill is coherent: it draws ANSI art by talking to a Clawbius service on localhost and saves output files in your home folders. Before installing/running: (1) confirm you have a trusted Clawbius binary (node.js) running on tcp/7777 — the skill will POST to that local endpoint; (2) review the included Python scripts if you care where files get written (they save to ~/Desktop and ~/Documents/ANSIClaw Output); (3) be cautious about using the API file-open capability to open arbitrary absolute paths—only open files in the skill's resources/ or other trusted locations to avoid exposing unrelated local files to the drawing process; (4) ensure Python 'requests' is installed. If you plan to run unmodified, these behaviors are expected and proportional to the skill's purpose.

Purpose & Capability: okName/description claim (draw ANSI art via Clawbius) matches the included files and SKILL.md. The scripts only call a local API (127.0.0.1:7777) and perform drawing/export operations; required runtime pieces (node.js to run Clawbius, Python requests) are reasonable and explicitly documented.
Instruction Scope: noteSKILL.md and scripts instruct the agent to read reference files in the skill's resources/ folder, create new canvases, draw, and save/export PNG/ANS files to ~/Desktop or ~/Documents. That scope is appropriate for an art tool, but note the agent will issue POST /api/file/open with absolute paths and will save files into the user's home directory—so file-open/save operations are real filesystem actions and should be allowed only if you trust local Clawbius and the skill's scripts.
Install Mechanism: okNo install spec; this is instruction/code-only. No external downloads or package installs performed by the skill itself. It relies on system-provided node.js and Python 'requests', which is proportional and documented.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths beyond local resource files. That matches the stated purpose.
Persistence & Privilege: okThe skill is not marked always:true and does not attempt to modify other skills or system-wide settings. It writes output files into the user's home directories (Desktop/Documents), which is expected for an art-exporting tool.