Skillv1.0.0

ClawScan security

Oo Design Smell Detector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 10, 2026, 8:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only OO design-smell scanner that requests no credentials or installs; its required actions (reading a codebase, running grep-like checks, and writing a checklist/report) are coherent with its stated purpose.
Guidance: This skill is internally consistent: it will read the code files you point it at, run pattern-based checks, and write a checklist/report. It does not require any credentials or install anything. Before running: 1) point it explicitly to the directory or files you want scanned (avoid running it at filesystem root), 2) avoid scanning directories containing secrets or unrelated sensitive files, and 3) review the files the skill writes (TodoWrite/report) so you control any output. If you want a targeted analysis, provide the language and specific classes/subsystems to limit file access.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions align: detecting OO design smells requires scanning source files, applying grep patterns, and producing recommendations. The declared inputs (codebase or textual description) and the use of pattern lists map to the stated capability.
Instruction Scope: noteRuntime instructions tell the agent to inspect the target codebase (search for src/ directories, file extensions, and specific tokens like 'new', 'extends', 'import', etc.). This is expected for a code analysis skill, but it does mean the agent will read files in whichever directory you point it at. The SKILL.md does not direct data to external endpoints or ask for unrelated system files, but it relies on platform file-reading tools (Read, Grep).
Install Mechanism: okNo install spec and no code files are included. This instruction-only skill does not download or install additional software, which minimizes disk-write and remote-code risks.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The only environment access implied is reading the specified codebase directory, which is proportionate to its function.
Persistence & Privilege: notealways=false (no forced presence). The skill requires Write/TodoWrite tools to create a checklist and report in the project; that is reasonable for its purpose. Because the skill can be invoked autonomously (default) and can write files, you should be mindful of the target directory and output location when enabling it.