Skillv1.0.0

ClawScan security

RegexVisualizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 8:29 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements line up with its stated purpose: it uses a local copy of the Regulex web UI and puppeteer-core to export SVG/PNG images of a regex; nothing requests unrelated credentials or external privileged access.
Guidance: This skill appears to do exactly what it claims: run a local Node script that loads the included Regulex HTML in a headless browser and writes SVG/PNG output. Before installing, note: (1) npm install will add puppeteer-core and its dependencies to the skill folder; (2) you must have a local Chrome/Edge installed (or set CHROME_PATH/--chrome); (3) the script launches the browser with --no-sandbox (common for headless automation) — only run it on trusted content and in a safe environment; (4) review assets/regulex.html if you have concerns about remote resource loading (the packaged file appears self-contained). If you only need simple diagram rendering and prefer fewer dependencies, consider alternative tools that don't require a headless browser, but from a coherence/security standpoint this package is consistent with its purpose.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the skill embeds Regulex-Plus HTML and provides a Node script that launches puppeteer-core to produce the same SVG/PNG output as the web UI. Required tooling (Node, local Chrome/Edge) is appropriate and documented. No unrelated env vars, binaries, or credentials are requested.
Instruction Scope: okSKILL.md instructs running the included scripts, installing puppeteer-core, and supplying a regex/out path. The runtime instructions only read the included assets/regulex.html and write the requested <out>.svg/.png files. There is no instruction to read arbitrary user files, environment secrets, or transmit data to external endpoints. Note: since the HTML is rendered by a browser, if that HTML referenced remote assets it could cause network fetches; the bundled assets appear self-contained.
Install Mechanism: okNo automatic install spec is present (instruction-only), but package.json depends on puppeteer-core and SKILL.md documents running npm install. This is a normal, proportionate approach. puppeteer-core does not bundle Chromium so the script correctly requires a local browser; package-lock is included and references npm registry packages (expected).
Credentials: okThe skill requests no credentials or config paths. It optionally respects CHROME_PATH / PUPPETEER_EXECUTABLE_PATH or a --chrome flag to locate the browser, which is reasonable and proportional to launching puppeteer. No secrets are required or accessed.
Persistence & Privilege: okalways is false and disable-model-invocation is false (normal). The skill does not attempt to persist system-wide configuration, modify other skills, or request permanent elevated presence.