Skillv1.0.0

ClawScan security

Build Refactoring Test Suite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 19, 2026, 6:10 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and intended behavior are internally consistent: it is an instruction-only skill that guides building tests, requires no external credentials or installs, and only needs read/write access to the codebase and a test runner.
Guidance: This skill is coherent and low-risk: it will read repository files, create test files/fixtures, and run the project's test runner. Before installing or allowing autonomous runs, ensure the agent has access only to the repository you trust, commit or back up the codebase so you can revert test-file changes, and confirm a suitable test runner is installed in the environment. If you prefer to review changes first, keep the skill user-invocable and do not enable autonomous invocation for it (or review the created test files and test run output before merging).
Findings: [no_regex_findings] expected: The static scanner found no code to analyze because this is an instruction-only skill (SKILL.md only). That absence is expected and consistent with the skill's design.

Purpose & Capability: okName and description (building a test suite before refactoring) match the SKILL.md tasks and the declared tools (Read, Write, Bash). Nothing requested (no env vars, no binaries, no install) is unnecessary for writing and running tests against a codebase.
Instruction Scope: okThe SKILL.md instructs the agent to read the target code and project files, detect the language/test framework, create test files and fixtures, and run the project's test runner. These actions are directly tied to the stated purpose and do not request unrelated system secrets or remote endpoints. It does assume the agent may run commands and create files in the repository, which is appropriate for this task.
Install Mechanism: okNo install spec / no code files. This is the lowest-risk setup: nothing is downloaded or written outside the working repository beyond the tests the skill will create.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md references standard project files (pyproject.toml, package.json, pom.xml, go.mod) to infer language/framework, which is proportional to the goal.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request permanent elevated privileges or try to modify other skills or system-wide settings. Its runtime actions (reading/writing tests and running the test runner) are expected for its purpose.