Back to skill
Skillv0.1.3
ClawScan security
Gitignore Sync · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 9:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it uses the included script to detect repo tooling, fetch gitignore templates from gitignore.io (toptal), and update a managed block in .gitignore without requesting credentials or unusual system access.
- Guidance
- This skill appears to do only what it says: detect repository tooling, fetch gitignore templates from the gitignore.io endpoint (https://www.toptal.com/developers/gitignore/api) and update a managed block in .gitignore. Before running: (1) review the templates the tool will apply (use --dry-run) so you know what ignore rules will be inserted, (2) run it from the correct repository root (or pass --repo), and (3) if you have network restrictions or want to avoid remote fetches, use --rules-file for offline input. The script does not require credentials or access other system resources. If you need higher assurance, inspect the bundled scripts/update_gitignore.py yourself and prefer dry-run first.
Review Dimensions
- Purpose & Capability
- okName/description match the provided code and instructions. The script detects repo files, maps tokens to known templates, fetches canonical rules from the gitignore.io endpoint, and writes a managed block — all expected for a gitignore-sync tool.
- Instruction Scope
- okSKILL.md restricts execution to scripts/update_gitignore.py and the script's behavior is limited to inspecting the target repo (file/folder presence), optionally fetching rules from the gitignore.io API, and writing/updating a managed block in .gitignore. It does not read unrelated system files or attempt to exfiltrate secrets.
- Install Mechanism
- okNo install spec; this is instruction-only plus a bundled Python script. There are no downloads or archive extraction during install. The script uses Python stdlib networking (urllib) to fetch templates at runtime.
- Credentials
- okNo environment variables, credentials, or config paths are requested. Network access to the gitignore.io (toptal) API is used to fetch templates, which is proportionate to the stated purpose.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills or global agent config, and only writes the repository's .gitignore managed block (expected scope).