Skillv1.0.0

ClawScan security

Characterization Test Writing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 12:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only skill whose requirements and instructions are coherent with its stated purpose of writing characterization tests for legacy code.
Guidance: This skill is an instruction-only guide for creating characterization tests; it does not request credentials or install software. Before using it, ensure: (1) your repository has an xUnit-style test harness available and you permit the agent tools (Read, Edit, Bash) to access and modify the code; (2) you understand characterization tests intentionally lock in current behavior — they will preserve observed bugs as regression checks, so review test assertions before accepting them as 'correct'; (3) the skill depends on other skills (legacy-code-change-algorithm, change-effect-analysis, unit-test-quality-checker) — validate those dependencies if the agent will invoke them; (4) the skill is marked draft and sourced from the linked GitHub path, so consider auditing the SKILL.md and any dependent skills before granting broad agent permissions. No other red flags were found.
Findings: [no_code_files_for_scan] expected: The regex-based scanner had no code to analyze because this is an instruction-only skill (SKILL.md only). Absence of findings is expected but not a substitute for reading the instructions.

Purpose & Capability: okThe name and description match the SKILL.md content: it's a step-by-step guide for writing characterization (behavior-preserving) tests. Declared dependencies (other testing/legacy-change skills) and required tools (Read, Edit, Bash) are proportional to the stated goal.
Instruction Scope: noteSKILL.md stays focused on preparing a test harness, choosing scope, writing failing assertions then updating them to reflect current behavior, and iterating until coverage is sufficient. One notable, intentional point: it explicitly instructs preserving observed behaviors (including likely bugs) in tests — that is the correct behavior for characterization tests but the user should be aware this will codify current (possibly incorrect) behavior.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is written to disk or fetched during install by the skill itself.
Credentials: okThe skill declares no environment variables, no credentials, and no config paths. The stated required tools are limited to repository/code operations (Read/Edit/Bash), which are appropriate for writing tests.
Persistence & Privilege: okalways:false and normal autonomous invocation are set (default). The skill does require agent tools that allow reading and editing the codebase; that is expected for a test-writing skill but implies the agent will need permission to modify project files.