Back to skill
Skillv1.0.0
ClawScan security
Component Identifier · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 12, 2026, 5:01 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only component-identification helper whose requested actions and tooling (reading a codebase, asking for requirements) are coherent with its stated purpose.
- Guidance
- This skill appears coherent: it will ask for system requirements and may request to read your codebase to identify components. Before using it, decide which repository paths are safe to expose (avoid scanning directories with secrets, keys, or sensitive configs), confirm whether you want the agent to write analysis artifacts into the repo or a separate output location, and be aware it may reference results from the related 'architecture-characteristics-identifier' skill. If you have sensitive files in your workspace, restrict the agent's Read access or provide sanitized inputs (requirements and representative code samples) instead of full repository access.
Review Dimensions
- Purpose & Capability
- okName and description match the instructions: the skill guides decomposition of systems and asks for requirements, actors, workflows, and (if present) the existing codebase. There are no unrelated env vars, binaries, or configuration paths declared.
- Instruction Scope
- noteThe SKILL.md explicitly instructs the agent to inspect 'existing codebase' and to use Read/Write (and optionally Grep/Glob) to discover package/service structure. That is appropriate for this purpose, but it means the agent may read repository files and write analysis outputs — confirm what directories are in-scope and avoid scanning secrets or unrelated configuration files.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only, which minimizes on-disk risk.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. Its need to read a codebase (via agent tools) is proportional to its purpose; there are no unexplained secrets or unrelated credential requests.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated agent-wide privileges. It does not attempt to modify other skills or global agent settings in the provided instructions.