Skillv1.0.0

ClawScan security

suboya-en · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 10:16 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only, self-contained philosophical thought-experiment generator whose requested footprint matches its description and does not ask for extra system access or secrets.
Guidance: This skill is instruction-only and internally consistent with its stated purpose, so the immediate technical risk is low. Before installing, consider: (1) provenance — ask who maintains it, license, and training/data sources; (2) content risk — the skill aims to produce persuasive 'civilization-level' narratives, so review outputs for bias, misinformation, or unintended persuasive framing before publishing; (3) data hygiene — do not provide sensitive personal, corporate, or classified input to the skill because generated outputs could be reused or shared by the agent; (4) deployment — if you plan to have the agent publish outputs externally, verify publishing controls and moderation. If you want higher assurance, request the skill's source or a tighter spec describing how outputs are used and any telemetry or external publishing behavior.

Purpose & Capability: okName and description (AI philosophy / thought-experiment generation) match the SKILL.md content: templates, example experiments, and reasoning flows. There are no unrelated requirements (no credentials, no binaries, no config paths).
Instruction Scope: noteSKILL.md contains only generation templates, engine descriptions, and examples. It does not instruct the agent to read files, access environment variables, call external endpoints, or collect system data. Note: the skill's text claims strategic intent (e.g., 'form public discourse', 'influence civilization narratives'), which is a scope/ethical consideration but not a technical inconsistency or a direct security risk.
Install Mechanism: okNo install spec and no code files — instruction-only. This is low-risk: nothing is downloaded or written to disk.
Credentials: okThe skill requires no environment variables, credentials, or config paths. There is no disproportionate request for secrets or unrelated credentials.
Persistence & Privilege: okFlags show default behavior (not always-on, user-invocable, model invocation enabled). Autonomous invocation is allowed by default on the platform but is not combined with other red flags here. The skill does not request persistent system presence or modify other skills.