Skillv1.0.0

ClawScan security

DeepInspect Guardrails · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 17, 2026, 9:22 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, policy, and runtime instructions align with its stated purpose (preflight command risk classification); it is internally consistent with only minor, low-risk inconsistencies to note.
Guidance: This skill appears to implement what it claims: a local preflight classifier for shell-like commands. Before installing or running it: (1) ensure you have Node.js available (SKILL.md assumes node but required-binaries is empty), (2) review and, if needed, adjust policy.baseline.json.workspaceRoots to match your actual project workspace so OUTSIDE_WORKSPACE_PATH detection is meaningful, (3) verify the allowlistedDomains entry if you expect network checks (the code doesn't use it), and (4) because the source is 'unknown', inspect the included files yourself before granting any automation privileges — running the CLI locally is low-risk, but don't enable autonomous invocation in an environment where unreviewed skills can run commands without supervision.

Review Dimensions

Purpose & Capability: okThe name/description match the implementation: the code classifies command strings into allow/require_approval/block and emits reason codes. The policy file contains patterns and actions that the code uses. One minor inconsistency: policy.baseline.json contains an allowlistedDomains field that is not referenced by the implementation (harmless but unused).
Instruction Scope: okSKILL.md directs local use of the provided node CLI and tests. The instructions and code only read the bundled policy file and the provided command string; they do not access external endpoints, environment secrets, or unrelated system configuration.
Install Mechanism: noteNo install spec is present (lowest risk) and all code is local. However, SKILL.md and the CLI require node to run but the registry metadata lists no required binaries — this is a minor coherence gap (you need node/npm on PATH to run the skill). There are no remote downloads or archive extracts.
Credentials: okThe skill requests no environment variables or credentials and the code does not read secrets or config paths beyond the included policy file. The policy flags patterns that match sensitive paths (e.g., ~/.ssh, /etc) but the skill only detects those patterns rather than accessing those files.
Persistence & Privilege: okThe skill does not request persistent presence, does not write global agent configuration, and does not require elevated privileges. The skill is user-invocable and not always-enabled.