Skillv1.0.0

ClawScan security

Inheritance Mapping Selector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 7:58 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only helper that recommends ORM inheritance mapping and its requested capabilities align with that purpose; no installers or secrets are requested, but it does ask for Read/Write access to code/docs which you should scope carefully.
Guidance: This skill appears coherent and appropriate for choosing ORM inheritance mapping. Before enabling it, ensure the agent's Read/Write permissions are scoped to the project files you want it to analyze (model files, schema, docs) and not to unrelated directories with secrets. Review any automatic changes or migration snippets it produces before applying them to your database. If you prefer more assurance, run the skill on a non-production copy of the codebase/schema first.

Review Dimensions

Purpose & Capability: okName/description match the declared behavior: the skill produces an inheritance mapping recommendation, ORM snippets, schema sketches, and migration advice. It declares no unrelated dependencies, env vars, or binaries, which is proportional for an architecture guidance tool.
Instruction Scope: noteSKILL.md explicitly says the agent may use architecture docs, ORM model files, and schema files and the execution metadata requires Read and Write tools. Reading the codebase and writing a decision record is appropriate for the stated goal, but these capabilities let the agent access arbitrary repository files if the agent's file access is not scoped. The instructions do not request secrets or system config, and there are no vague 'gather whatever context you need' directives beyond reading model/schema docs.
Install Mechanism: okThere is no install spec and no code files—this is instruction-only. No downloads, packages, or binaries are installed, so there is minimal install risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The only environmental requirement is optional access to a codebase or docs, which is appropriate for producing accurate recommendations.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated platform privileges. It does request Write capability so it can produce and save a decision record; that is reasonable but should be limited to the intended project/output location.