Back to skill
Skillv1.0.0
ClawScan security
Change Effect Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (analyzing a codebase to produce a test-placement plan) and it does not ask for unrelated credentials, installs, or system-wide privileges.
- Guidance
- This skill is coherent for its stated goal, but before using it: (1) ensure the agent has only the minimum read access needed to the repository (avoid granting broad system access); (2) don't run it against repos containing secrets unless those are removed or you run the analysis in an isolated environment; (3) confirm you have the prerequisite skill (legacy-code-change-algorithm) if required; (4) remember the skill uses grep/bash-style searches — review any generated output for sensitive content before sharing externally.
Review Dimensions
- Purpose & Capability
- okName and description claim code-impact analysis and the skill only requires reading the codebase and using simple navigation tools (Read, Grep, Bash, optional Edit). No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs the agent to locate change points, trace propagation mechanisms through source files, and produce an effect sketch and test plan. All operations are limited to reading and analyzing repository files; there are no instructions to access system credentials, external endpoints, or unrelated system files. It does expect the agent to run grep/bash-style searches which is appropriate for code discovery.
- Install Mechanism
- okThere is no install spec and no code files — this instruction-only skill does not write code to disk or download external artifacts, which minimizes installation risk.
- Credentials
- okThe skill declares no environment variables, secrets, or config path requirements. The only resource it needs is read access to the target codebase, which is proportionate to its purpose. Be mindful that reading the repo may expose any secrets stored in source files.
- Persistence & Privilege
- okalways is false and there is no indication the skill modifies agent/system configuration or demands permanent presence. Autonomous invocation is allowed by default but not elevated by the skill.