Back to skill
Skillv0.0.1
ClawScan security
cmg gem油藏数值模拟专家 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 9:32 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's claims (generate and debug CMG GEM DAT files) match its instructions and requirements — it's an instruction-only helper with no unexpected installs or credential requests.
- Guidance
- This skill appears coherent and focused: it provides templates, checks, and Windows run examples for CMG GEM DAT files and does not request credentials or perform installs. Before installing/using it: 1) ensure you run it only in environments where you have CMG GEM installed or where you are comfortable allowing the agent to suggest running local commands; the SKILL.md references a Program Files executable path (it won't itself install CMG). 2) Do not paste confidential reservoir or proprietary PVT/rock data unless you trust the environment where the agent runs, because DAT files and .out logs can contain sensitive information. 3) Note the examples are Windows/CMD-centric — verify output formatting and units if you use other OSes. 4) As always, review generated DAT files before executing them with a licensed simulator.
Review Dimensions
- Purpose & Capability
- okThe name and description (CMG GEM DAT generation and debugging) align with the SKILL.md content: DAT structure, grid/fluid/rock data, MVP template, error messages, and a local run command. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteInstructions stay on-topic (how to build DAT files, diagnose common GEM errors, and run the simulator). Note: runtime examples assume a Windows CMG executable path and instruct checking local .out logs and project directories — this is expected for the task but means the agent could try to run a local GEM installer/executable if available. The SKILL.md does not instruct reading unrelated system data or exfiltrating information.
- Install Mechanism
- okNo install spec or external downloads — instruction-only skill. This minimizes disk-write and supply-chain risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The single noteworthy point: generated DAT files and referenced .out logs may contain sensitive reservoir or experiment data — that is inherent to the skill's purpose, not an overreach.
- Persistence & Privilege
- okalways:false and no install means the skill does not request persistent system presence or elevated privileges. Autonomous invocation defaults are unchanged but present (user-invocable and model invocation allowed), which is normal for skills.