Shadows Doc Forge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent instruction-only documentation helper; it reads project files and creates docs, so users should review generated changes before sharing or committing them.
This skill appears suitable for documentation generation. Before installing or invoking it, decide the repository scope, review all generated files, and explicitly say whether the agent may edit existing source files for inline comments.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read broad parts of the target project and create new markdown documentation files in the repository.
The skill directs the agent to inspect repository files and create documentation files. This is expected for the stated documentation purpose, but it is still file-system activity the user should scope and review.
1. **Scan** the project structure ... 2. **Read** entry points first ... then configs ... Generated documentation is written as new files only.
Run it only on intended projects, review generated files before committing or sharing, and exclude private configuration details from public documentation.
If interpreted broadly, the agent could add comments to source files when the user expected only separate markdown documentation.
The inline-comment guidance could be read as allowing source-file edits, while the security section says existing source files are not modified. This is an ambiguity rather than evidence of malicious behavior.
Type 4 — Inline Code Documentation ... Rules for adding code comments ... It does not ... modify existing source files.
Tell the agent explicitly whether source-code edits are allowed; otherwise treat inline comments as suggested text rather than automatic code modifications.