Back to skill
Skillv0.1.2
ClawScan security
semfind · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 6:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's claims, runtime instructions, and resource needs are consistent: it's an instruction-only helper that suggests installing a local semantic-search CLI which downloads a small public model and indexes local files.
- Guidance
- This skill is coherent for local semantic search, but before installing: (1) review the semfind PyPI package and its source/repository to ensure it comes from a trusted maintainer; (2) install in a virtualenv or sandbox if you want isolation; (3) expect the tool to download a model from the internet on first run and to read/index any files you point it at (logs, notes, etc.), so avoid pointing it at sensitive system or credential files; (4) verify the model source (BAAI/...) if you require auditable provenance.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: semfind is described as a local semantic search tool and the SKILL.md tells the user to install and run a local CLI to embed and search files. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteInstructions explicitly require reading user-specified files and maintaining caches in /tmp and ~/.cache; they also describe downloading a ~65MB model on first run. These actions are expected for local embedding-based search but do mean the tool will read local files and access the network to fetch the model.
- Install Mechanism
- noteThe registry contains no install spec; the SKILL.md instructs users to run `pip install semfind`. This is reasonable for an instruction-only skill, but pip packages are third-party code — installing them runs code from the package maintainer and pulls remote artifacts (model) over the network.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The declared requirements are minimal and align with the stated local-search purpose.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform privileges or modifications to other skills. The behaviour described (local caches) is limited to the user's filesystem.