Back to skill
Skillv1.0.0
ClawScan security
Legacy Code Symptom Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 1:48 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only diagnostic router for legacy-code situations that does not request credentials, install software, or ask for unrelated system access — its requirements are proportionate to its stated purpose.
- Guidance
- This skill is an instruction-only symptom router and appears internally consistent. Before installing: confirm you are comfortable with the agent having read access to the repository (the skill may use Read/Grep to inspect code if you provide pointers), and review any downstream skills it recommends (those separate skills may have additional requirements such as tools or credentials). Do not provide secrets or external service credentials to this skill — none are needed. If you want stricter limits, keep the skill user-invocable only and avoid granting the agent blanket repository access.
Review Dimensions
- Purpose & Capability
- okName/description map directly to the instructions: the skill elicits a developer description, matches it to one of 19 symptoms from Feathers' book, and recommends downstream technique-specific skills. It declares no binaries, env vars, or installs — nothing requested is unexpected for a purely advisory/troubleshooting skill.
- Instruction Scope
- okSKILL.md confines runtime behavior to eliciting a plain-language symptom, asking targeted diagnostic questions, and mapping to downstream techniques. It allows optional examination of the codebase (tools-required: Read, Grep; Glob optional) which is coherent with the 'code helpful but not required' claim. There are no instructions to read unrelated system files, exfiltrate data, or call external endpoints.
- Install Mechanism
- okNo install spec and no code files beyond prose are provided. Because this is instruction-only, nothing is written to disk or downloaded — the lowest-risk install profile.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The only declared resources are text inputs and optional code-reading tools; this is proportionate to a diagnostic/referral skill.
- Persistence & Privilege
- okFlags show normal defaults (always: false, autonomous invocation allowed by default). The skill does not request permanent presence or elevated privileges and contains no instructions to modify other skills or system-wide agent configuration.