Back to skill
Skillv1.0.0
ClawScan security
Legacy Code Addition Techniques · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:48 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only guide for making minimally invasive changes to legacy code (Sprout/Wrap) and its requested actions and assets are coherent with that purpose — it does not ask for credentials, installs, or unrelated system access.
- Guidance
- This is an offline, instruction-only skill that guides making small, tested changes in a codebase. Before using it: ensure the agent (or person following the instructions) has access only to the intended repository, run changes in a feature branch, and review diffs/PRs before merging. Because the skill edits source and runs tests, verify test harnesses are properly mocked so tests don't hit external services or secrets. No environment secrets or network endpoints are requested by the skill itself, but always review any generated edits or commands before applying them to production code.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md instructions: the skill explains Sprout and Wrap techniques for adding behavior to legacy code. It requires access to a codebase and test framework, which is appropriate and expected.
- Instruction Scope
- okThe instructions ask the agent to read source files, identify change points, create new methods/classes, write tests (TDD), and run build/tests — all within the stated goal. There are no steps that instruct reading unrelated system files, exfiltrating data, or calling external endpoints.
- Install Mechanism
- okThis is instruction-only with no install spec and no code files to execute. No downloads or package installs are performed by the skill itself.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. Its needs (access to the codebase and test tooling) are proportional to the stated purpose.
- Persistence & Privilege
- okThe skill is not forced-always, does not require persistent installation, and does not request modification of other skills or global agent settings. Autonomous invocation is allowed by default but not combined here with any broad privileges.