Skillv1.0.2

ClawScan security

Model Switcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 5:41 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions are consistent with its stated purpose (auto-switching models based on task complexity); no disproportionate permissions, installs, or secret access are requested.
Guidance: This skill appears to do what it says: detect complexity and call session_status to switch models. Before installing, confirm that your agent platform provides a session_status tool and determine the exact model identifiers it expects (the SKILL.md shows both full model names and shorter tokens — update them to match your environment). Consider adding trigger keywords in other languages if you need that coverage, and set sensible rate-limiting or batching to avoid frequent unnecessary switches. Also verify you trust the custom model endpoints listed (they appear to be custom-hosted model names) since switching will route requests to those models managed by whoever controls them.

Review Dimensions

Purpose & Capability: okName/description (auto-switching between fast vs powerful models) match the SKILL.md's detection rules and explicit session_status calls to change models. There are no unrelated environment variables, binaries, or installs requested.
Instruction Scope: noteInstructions are narrowly scoped to detecting keywords and calling the session_status tool to change models. Minor issues: trigger keywords are only provided in Chinese (may miss other languages), and the implementation examples use short model identifiers ("kiro-cli", "haiku", "default") that do not exactly match the full model strings listed earlier (e.g., "custom-kiro-cli-vipdump-eu-org/claude-haiku-4-5"), which is an operational inconsistency but not a security problem. The doc also leaves behavioral choices (how often to switch, batching) to agent discretion; this is functional scope rather than a covert action.
Install Mechanism: okInstruction-only skill with no install spec and no code files. Nothing is written to disk or downloaded by an installer, which minimizes install-time risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does reference custom model names (hosted models) — users should be aware that switching uses whatever models are available in their environment, but the skill itself doesn't request secrets or unrelated credentials.
Persistence & Privilege: okalways is false and autonomous invocation is allowed (the platform default). The skill does not request persistent system presence or access to other skills' configs. Autonomous invocation combined with no credential access is low risk.