Skillv1.0.0

ClawScan security

Implement Issue · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 8:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The instructions, required resources, and scope align with the stated purpose (implementing a Gitee issue); it needs access to a local repository checkout and a configured Gitee MCP server, which you should verify before use.
Guidance: This skill appears coherent for implementing Gitee issues, but review these practical points before enabling it: - The agent will need read/write access to a local repository checkout (or you must provide a path). Only run it in a repository clone you trust or in a sandbox/copy to avoid unintended changes. - The skill relies on a preconfigured Gitee MCP server (which will hold Gitee credentials). Verify those credentials are present, have minimal scopes required (create PRs, comment, read issues), and are stored securely. - Confirm you want the agent to create PRs and post comments automatically; consider requiring explicit user confirmation before making commits, pushing, or creating PRs. - Note the small documentation mismatch (names for list/comment functions). If you rely on a specific MCP API surface, validate the exact tool names available in your environment. If you want to be extra cautious: provide a throwaway or limited-permission token for the MCP server and run the agent against a feature branch or local clone you can discard.

Review Dimensions

Purpose & Capability: okThe skill is explicitly for implementing Gitee Issues via an MCP server. It asks for the repository, issue number, and a local repo path so the agent can read/modify source files and create a PR — all coherent with the described purpose.
Instruction Scope: okSKILL.md confines actions to issue retrieval, analysis, local code changes, commenting, and PR creation via the MCP tooling. It asks the agent to read and modify the local repository (which is necessary for coding). Minor inconsistency: the documented helper names include both `list_repo_issues` and `list_issue_comments` (one appears in the prereq list and the other in the steps) — this is likely a small doc mismatch, not a scope expansion.
Install Mechanism: okInstruction-only skill with no install spec, no downloads, and no code files — minimal installation risk.
Credentials: noteThe skill declares an mcp-servers dependency on Gitee but requests no explicit environment variables. In practice the MCP server configuration will contain Gitee credentials; the skill does not itself request unrelated secrets or broad system access. It would be helpful if the skill documented the expected credential scopes or where the MCP credentials are stored, but the current requirement is proportionate to the task.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent platform privileges. It does not modify other skills or system-wide settings according to the provided content.