Skillv1.0.0

ClawScan security

Form UX Best Practices · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 4, 2026, 4:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (form UX/accessibility audits) matches its instructions and included files; it has no external installs, no credential requests, and the bundled script is a local, offline HTML analyzer.
Guidance: This skill appears internally consistent and focused on form UX/accessibility. If you plan to run the bundled script, inspect scripts/form_audit.py (it's a static HTML parser) before executing, and only feed it HTML or text you intend to analyze. Because the skill has no network or credential requirements, it won't exfiltrate secrets by itself, but as with any third-party skill, avoid giving it sensitive production data (real user PII, full payment data) unless you trust the source and have reviewed the code. If you need higher assurance, run the audit script in an isolated environment or review the full repository before enabling the skill in an automated/always-on agent.

Purpose & Capability: okName/description match the provided assets and code. The skill is an opinionated auditing workflow and includes sample inputs, a report template, reference canon, and a local static form_audit.py — all directly relevant to form reviews. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope: okSKILL.md defines a narrow, deterministic audit workflow (questions to collect, checks to run, and the exact report template to use). Instructions do not ask the agent to read arbitrary system files, exfiltrate data, or call external endpoints; they refer only to included assets and the provided form inputs.
Install Mechanism: okNo install specification is provided (instruction-only skill). A local Python script is bundled for optional static audits, but there are no downloads, package installs, or remote URLs that would write arbitrary code to disk at install time.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The scope of required access is proportional to its purpose (analyzing form HTML/text).
Persistence & Privilege: okThe skill does not request always:true and uses default invocation settings (user-invocable, model invocation allowed). It does not declare any behavior that would modify other skills or system-wide settings.