Skillv0.3.0

ClawScan security

Markdown Lint · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 1:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill's code, instructions, and requirements are coherent with its stated purpose (setting up markdownlint and pre-commit hooks); it only modifies repository files and does not request credentials or external hidden endpoints.
Guidance: This skill appears to do exactly what it says: lint and optionally fix markdown in a repository and add a pre-commit hook that rejects horizontal rules outside YAML frontmatter. Before installing: review the included scripts (scripts/check-horizontal-rules.sh) yourself to confirm you’re comfortable with the automated edits (it rewrites files by creating a .tmp and moving it), run it on a branch or backup so you can review changes, and note the pre-commit config points to a specific markdownlint-cli2 rev (run pre-commit autoupdate to get the latest). If you use Windows, run the shell parts in WSL/Git Bash. The skill does not request credentials or network exfiltration, but as with any repo-modifying tool, inspect scripts and test in a safe environment first.

Review Dimensions

Purpose & Capability: okThe name/description (markdown linting, pre-commit hook, removing horizontal rules) matches the requested binaries (markdownlint-cli2, pre-commit) and the included script. All required tools and actions are appropriate for repository linting and automated fixes.
Instruction Scope: okSKILL.md instructs repository-local operations: creating .markdownlint.json, installing pre-commit hooks, running npx markdownlint-cli2, scanning and editing markdown files with the provided shell script. The script only reads and edits repository .md files and prints violations; it does not access environment variables, external credentials, or remote endpoints beyond the expected markdownlint GitHub repo referenced in the pre-commit config.
Install Mechanism: noteThis is instruction-only (no install spec in registry), and SKILL.md uses npx (no global install) which is appropriate. Minor inconsistency: SKILL.md metadata lists a node install entry for markdownlint-cli2, but the manifest reports no install spec — this is likely informational and not dangerous, but you may want to confirm how the agent/platform will satisfy markdownlint-cli2 (npx vs installing a package).
Credentials: okThe skill requires no environment variables or credentials. It asks for access to local repository files (expected for a linter) and uses only standard CLIs (node/npx, pre-commit). No secrets or unrelated service credentials are requested.
Persistence & Privilege: okThe skill is not set to always: true and does not request persistent agent-level privileges. It modifies repository files and installs hooks (normal for this purpose) but does not change other skills or global agent configuration.