Skillv1.0.1

ClawScan security

transcript triage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 3:47 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (parsing transcripts into triage lists) matches its instructions and it requests no extra installs or credentials; integrations are the only minor ambiguity.
Guidance: This skill appears coherent: it will parse transcripts you supply and produce categorized markdown lists. Before installing/using it, confirm how the agent will perform the listed 'integration' steps: where exactly will 'current epic-notes/' and 'memory/YYYY-MM-DD.md' be written, and what credentials (if any) are needed to push items to Backstage/ROADMAP/Memory systems? If you plan to feed sensitive transcripts into this skill, be sure you trust the agent's execution environment and any external LLMs or services you invoke. If you see follow-up versions that request environment variables, config paths, or remote-download installs, re-evaluate those changes because they would materially affect the risk profile.

Review Dimensions

Purpose & Capability: okName, description, and SKILL.md all describe parsing user-supplied transcripts into categorized lists (NOW/LATER/BACKLOG/DECISIONS). There are no declared binaries, env vars, or installs that are unrelated to this purpose.
Instruction Scope: noteInstructions are limited to parsing a provided transcript and producing a triage-formatted markdown output. However, the 'Integration Points' mention auto-adding NOW items to 'current epic-notes/', suggesting writing to project paths, and logging DECISIONS to 'memory/YYYY-MM-DD.md'. The skill does not declare config paths or details for these integrations, so the exact scope (local file writes, external APIs, or other skills) is ambiguous.
Install Mechanism: okInstruction-only skill with no install spec or external downloads; nothing is written to disk by an installer and no third-party packages are pulled in by the skill itself.
Credentials: noteThe skill declares no environment variables or credentials, which is appropriate for its described functionality. That said, the listed integration points imply interactions with other systems (Backstage, ROADMAP, Memory) that would typically require configuration or credentials; those are not requested or documented here.
Persistence & Privilege: okalways:false and no install-time persistence requested. The skill suggests writing triage results to other systems/files, but it does not request persistent privileges or modify other skills' configurations in its instructions.