Skillv1.0.0

ClawScan security

Nex Deliverables · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 5, 2026, 3:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with a local CLI deliverables tracker that stores data under ~/.nex-deliverables and does not request unrelated credentials or network access.
Guidance: This skill appears to be a straightforward local CLI app that stores data in ~/.nex-deliverables and installs a wrapper in ~/.local/bin. Before installing: (1) review setup.sh and nex-deliverables.py (you already have them) and confirm you're comfortable with files being created in your home directory; (2) run setup in a contained environment (container, VM, or throwaway user account) if you want to inspect behavior first; (3) note the CLI does not send data externally per the provided code, but if you modify it or add plugins, re-check for network calls; (4) ensure python3 is installed and ~/.local/bin is on your PATH (setup.sh suggests adding it if not). If you accept these, installation is consistent with the skill's stated purpose.

Review Dimensions

Purpose & Capability: okThe name/description (client deliverable tracker) matches the provided files and CLI behavior. Required binary is python3 and the code implements local SQLite storage, client/deliverable management, search, exports, and email text generation — all consistent with the stated purpose.
Instruction Scope: okSKILL.md and the CLI only instruct running a local setup script and using the nex-deliverables CLI. Runtime instructions operate on local files (~/.nex-deliverables), the local SQLite DB, and stdout; there are no instructions to read unrelated system files, environment variables, or to transmit data to external endpoints.
Install Mechanism: noteThere is no formal install spec in the registry, but a provided setup.sh performs installation: creates ~/.nex-deliverables, initializes the DB, makes nex-deliverables.py executable, and places a wrapper in ~/.local/bin. This is expected for a local CLI but does write files and a wrapper script into the user's home directory — reviewers should be aware the installer modifies ~/.local/bin and the data directory.
Credentials: okThe skill requests no environment variables or external credentials. All data storage is local. There are no apparent requests for unrelated secrets or config paths.
Persistence & Privilege: okThe skill does not force persistent inclusion (always: false). The setup script writes its own files and a CLI wrapper under the user's home, but it does not modify other skills or system-wide agent settings.