Skillv1.0.0

ClawScan security

Algorithmic Art Anthropic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 2:31 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (creating p5.js algorithmic art) and requires no credentials or installs; no malicious or incoherent behavior was found, though there are a few minor non-security issues to be aware of.
Guidance: This skill appears to do what it says: generate p5.js-based algorithmic art and an interactive viewer using the supplied templates. Before installing or using it, consider the following: (1) the viewer HTML loads p5.js from cdnjs.cloudflare and fonts from Google — opening the viewer triggers network requests to those public CDNs; (2) SKILL.md asks the model to repeatedly assert that the work is 'meticulously crafted' and 'master-level' — that is a stylistic/deceptive risk (it may produce exaggerated authorship claims), so review generated text for accuracy; (3) review generated code before publishing or distribution to ensure it doesn't inadvertently include copyrighted material from examples or external sources; (4) the template mentions 'Anthropic' branding though the skill owner/homepage are unknown — if branding or trademark accuracy matters to you, confirm permission or remove branding; (5) because this is instruction-only with templates, there is no installer footprint, but always inspect any generated files before executing in environments where you have sensitive data. If you want stronger assurance, request provenance for the templates (author, source repo) or run the generated HTML in an isolated environment (browser sandbox) to observe network calls.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and included templates (.js and .html) all align: the skill is explicitly about producing p5.js generative art, seeded randomness, and interactive viewers. There are no unrelated binaries, environment variables, or config paths requested.
Instruction Scope: noteRuntime instructions are narrowly scoped to producing a philosophy (.md) and implementing p5.js .js/.html files. They do not instruct reading system files, external credentials, or exfiltrating data. One notable oddity: the SKILL.md explicitly requires repeating marketing-style phrases insisting the output appears 'meticulously crafted' and 'master-level implementation' — this is stylistic and could cause the agent to inject exaggerated claims about authorship/skill, but it is not a direct security risk.
Install Mechanism: okNo install spec is provided (instruction-only skill plus static templates). Nothing will be downloaded or written by an installer. The viewer.html references common public CDNs (cdnjs p5.js, Google Fonts) for runtime assets — expected for a web viewer but note these are external network fetches performed by anyone who opens the HTML.
Credentials: okThe skill requests no environment variables, credentials, or config paths. All code is local templates and instructional; no secrets are required or requested.
Persistence & Privilege: okSkill flags are default (always: false, model invocation enabled). It does not request persistent or elevated privileges, nor does it modify other skills or system-wide settings.