minimatch
PassAudited by ClawScan on May 15, 2026.
Overview
This is an instruction-only minimatch usage guide with no code, credentials, persistence, or hidden behavior; the main things to notice are normal npm package installation and the documented warning about unsafe user-supplied glob patterns.
This skill appears safe to install as an instruction-only guide. When using minimatch in your own code, avoid treating untrusted user text as a glob pattern, and pin or lock the npm dependency version for production use.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an application lets users supply arbitrary glob patterns, crafted input could cause excessive processing or denial-of-service behavior.
The skill documents that minimatch converts glob expressions to JavaScript regular expressions and that untrusted user-controlled patterns can be unsafe. This is purpose-aligned guidance rather than hidden behavior.
Note: Do NOT use user input as pattern source to prevent ReDoS attacks.
Only use trusted or validated patterns, escape literal user input, and consider length/complexity limits before matching.
Installing the latest package version can change behavior over time if the upstream package changes.
The skill instructs users to install a public npm package, but does not pin an exact version. This is a normal setup step for the stated purpose and is not automatically executed by the skill.
npm install minimatch
Use a lockfile or pin a known-good version in production projects.