Back to skill
Skillv1.1.0
ClawScan security
Shadows Doc Forge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 7, 2026, 3:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only documentation generator whose declared behavior and requirements are internally consistent with its stated purpose.
- Guidance
- This skill appears coherent for generating documentation. Before installing or invoking it, confirm that the agent will be restricted to the intended repository/workspace so the skill cannot read unrelated sensitive files (e.g., .env, private keys). Review generated docs before committing them. Note the skill metadata shows no verified source/homepage in the registry (SKILL.md contains an internal homepage string), so if provenance matters, ask the publisher for an authoritative source or audit the agent's runtime logs to ensure it does not execute code or call external endpoints despite the SKILL.md claim.
Review Dimensions
- Purpose & Capability
- okName and description (auto-documentation) match the instructions: the skill only reads source files, analyzes code structure, and writes markdown docs. It does not request unrelated binaries, cloud credentials, or system config paths.
- Instruction Scope
- noteThe SKILL.md explicitly instructs the agent to list directories, read entry points/configs, analyze code, and write new markdown files. That is appropriate for a doc generator. One minor caution: the instructions are broad about "scan the project structure" and "read configs" — in practice that means the agent will read any files in its workspace, which could include sensitive config files if they exist. The skill states it will not execute code or make network calls; that is consistent, but 'verify every code example and function signature' is ambiguous about whether verification is purely static.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. No packages or downloads are performed, so there is no install-time risk.
- Credentials
- okNo environment variables, credentials, or config paths are required or declared. The SKILL.md does not reference any secrets or external tokens.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated persistence. It writes generated docs as new files alongside source (expected behavior) and does not claim to modify existing source or other skills' configurations.