Back to skill
Skillv1.0.0
ClawScan security
How To Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 4:33 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only meta-skill that teaches how to author skills; its requests and content match its stated purpose and it does not ask for credentials or install anything.
- Guidance
- This skill is low-risk: it only contains prose teaching how to make skills and requests no installs, credentials, or filesystem access. Before publishing or acting on its examples, however, be mindful that the guide casually endorses copying public APIs/docs and bundling other people's work — review licensing and attribution policies if you reuse third-party content. Also double-check any CLI commands (e.g., 'clawhub publish') in your environment before running them, and pick specific trigger phrases (avoid generic matches like 'help') to prevent accidental activation. If you expect stricter autonomy controls, note that the platform default allows autonomous invocation of skills — this skill itself requests no extra permissions, but combining it with other skills that do could increase risk.
Review Dimensions
- Purpose & Capability
- okThe SKILL.md content explains how to pick topics, write SKILL.md files, add trigger phrases, and publish — which matches the skill's name and description. The file contains no unexpected requirements (no binaries, env vars, or config paths).
- Instruction Scope
- noteInstructions stay within the stated scope of teaching skill creation. Minor concern: the guidance casually recommends copying existing API/docs and composing wrapper/bundle skills, which can encourage plagiarism or repackaging third-party APIs without proper attribution or licensing. The doc does not instruct reading system files, accessing credentials, or contacting external endpoints.
- Install Mechanism
- okNo install spec or code is present (instruction-only). Nothing will be written to disk or downloaded by the skill itself.
- Credentials
- okNo environment variables, credentials, or config paths are requested or required — proportional and minimal for the stated purpose.
- Persistence & Privilege
- okThe skill does not request persistent or elevated privileges. always is false and no modifications to other skills or system-wide settings are described.