Back to skill
Skillv1.0.0
ClawScan security
Favicons · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 1:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with its stated purpose (generating multi-platform favicons) and it does not request unrelated credentials, installs, or network access.
- Guidance
- This skill appears to do exactly what it says: run the favicons Node library to create image/config files. Before installing, ensure you have Node.js and are comfortable running npm-installed packages. The included script writes files to whatever output directory you pass — choose a safe path and verify outputs. As with any third-party script, run it in a trusted environment (or sandbox) if the source is unfamiliar. Note: SKILL.md shows ES module import while the script uses require(); that's harmless but you should install the package into a project environment where the script runs. No credentials or network endpoints are used by the script.
Review Dimensions
- Purpose & Capability
- okName and description match the included script and documentation. The skill is a thin wrapper around the Node.js 'favicons' library and only needs filesystem access and the favicons package to perform its stated job.
- Instruction Scope
- okSKILL.md instructs installing the favicons package and running the included Node script with a source image, output directory, and optional JSON config. The runtime instructions only reference relevant files/paths and do not ask the agent to read unrelated system files or credentials.
- Install Mechanism
- okThere is no automated install spec; SKILL.md recommends 'npm install favicons'. No downloads from arbitrary URLs or archive extraction occur. The approach is typical for a Node-based helper script.
- Credentials
- okThe skill declares no environment variables or credentials. The included script only uses Node standard libs and the favicons package; it does not access external secrets or unrelated services.
- Persistence & Privilege
- okalways is false and model invocation is normal. The skill does not request persistent platform privileges or modify other skills or system-wide settings.