Skillv1.0.0

ClawScan security

6 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 3:12 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only design/architecture helper whose requested scope, lack of installs, and lack of credential requirements are consistent with its stated purpose.
Guidance: This skill is an architecture/design advisor and is internally coherent. Before enabling it: (1) understand it will ask for and rely on project/repo context — only enable if you trust the agent to read your repository files; (2) it does not require installs or credentials, and nothing will be written by the skill itself, but review any implementation plans it outputs before applying changes; (3) note the metadata oddity (registry name '6' vs SKILL.md name 'multiverse-architect') and the lack of a homepage/source — if provenance matters to you, ask the publisher for more info. Do not provide secrets or external credentials to the skill.

Review Dimensions

Purpose & Capability: okThe skill's description (generate multiple solution 'universes' and converge on one) matches the SKILL.md instructions. It is instruction-only and asks for conceptual analysis and a plan — nothing in the metadata or manifest requests unrelated resources. Minor metadata inconsistency: registry name/slug is '6' while SKILL.md calls the skill 'multiverse-architect' — this is odd but not a security risk.
Instruction Scope: noteThe SKILL.md expects the agent to build a problem snapshot, mention relevant tech stack, files, and conventions, and to infer constraints (team skills, deadlines) from context. This is coherent for an architecture advisor, but it is open-ended: the agent will rely on whatever project context it can access. The instructions do not tell the agent to read unrelated system files, environment variables, or external endpoints; however, effective use requires access to project/repo context (expected).
Install Mechanism: okNo install spec or code files are present. The skill is instruction-only, so nothing will be downloaded or written to disk by an installer.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md does not attempt to read secrets or request unrelated credentials.
Persistence & Privilege: okFlags are default (always: false, user-invocable: true). The skill does not request permanent presence or elevated privileges. Autonomous invocation is allowed by platform defaults but there are no other red flags that amplify risk.