Back to skill
Skillv1.0.0
ClawScan security
Dashboard Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and declared permissions are coherent: it reads/writes a single local dashboard file and does not request unrelated credentials or network access.
- Guidance
- This skill appears to do what it says: read and update a single local data.json. Before installing: 1) Confirm the DATA_FILE_PATH (D:\Projets\ClaudBot\Jarvis_Dashboard\data.json) actually points to the file you expect — otherwise the skill will fail or create/modify a different file. 2) Back up data.json before enabling the skill (it performs writes and frequent heartbeats). 3) If you don't want autonomous background writes, don't enable or configure auto_sync/heartbeat. 4) Review the included index.js if you want to verify no network calls or extra file paths are added. 5) Ensure file permissions for data.json are scoped appropriately so only intended users/processes can read it.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, index.js and skill.json all describe a dashboard manager that reads/writes a single local data.json file. The declared file permission matches the hardcoded DATA_FILE_PATH. Nothing requested (no env vars, no external services) appears unrelated to the stated purpose.
- Instruction Scope
- noteRuntime instructions and code operate only on the specified data.json and provide functions for notes, logs, stats, tasks and sub-agents. The SKILL.md specifies an automatic heartbeat (every 2s) and background 'silent mode' which means the skill will run autonomously and perform frequent writes; this is consistent with the purpose but users should be aware of frequent background file I/O.
- Install Mechanism
- okNo install spec; files are included in the package and no external downloads or installers are used. This minimizes installation risk.
- Credentials
- okThe skill requests no environment variables or credentials. Permissions in skill.json are limited to a single, explicit file path. That is proportionate to its stated functionality.
- Persistence & Privilege
- noteThe skill is not declared 'always: true'. It is allowed to be invoked autonomously (platform default), and the SKILL.md explicitly describes background auto-syncing. Autonomous operation combined with frequent writes is expected for this skill but worth noting for users who prefer manual control.