Back to skill
Skillv1.0.0
ClawScan security
Triage Issues · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 6:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required tools, and requested actions line up with a Gitee issue-triage task and do not ask for unrelated access or perform unexpected operations.
- Guidance
- This skill appears coherent for Gitee issue triage. Before installing or using it, confirm that a Gitee MCP server is configured and you understand which account/credentials that server will use (they determine whether updates/comments/assignments can be made). Because the skill can perform bulk updates, always review the triage report and explicitly confirm before applying changes. Consider testing on a small or sandbox repository first and verify audit/logging so you can see what changes were made.
Review Dimensions
- Purpose & Capability
- okName/description ask for issue triage and the SKILL.md only references Gitee MCP operations (list_repo_issues, get_repo_issue_detail, update_issue, comment_issue) and repository identifiers — these are appropriate and expected for this purpose.
- Instruction Scope
- okRuntime instructions describe fetching issues, classifying them, generating a report, and asking for user confirmation before performing updates or comments. The SKILL.md does not instruct reading unrelated files, environment variables, or contacting unexpected endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. Minimal surface area — nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no environment variables or credentials. It relies on a configured Gitee MCP server (expected for interacting with Gitee). The only inputs are repository owner/name and optional filters, which are proportional to triage functionality. Note: the configured MCP server will supply whatever credentials are needed at runtime — ensure those credentials are appropriate for write actions.
- Persistence & Privilege
- okalways is false and there is no install-time persistence or modification of other skills. The skill can be invoked (and the agent may call it autonomously per platform defaults), but that is normal for skills and not otherwise privileged here.