Back to skill
Skillv1.0.0
ClawScan security
Pessimistic Offline Lock Implementer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 9:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only, requests no credentials or installs, and its requested actions (reading/editing a codebase to implement pessimistic offline locks) are consistent with its stated purpose.
- Guidance
- This skill appears internally coherent and lower-risk because it's instruction-only and asks for no secrets or installs. Before running it: (1) restrict the agent's edit access to a feature branch or staging repo so changes can be code-reviewed; (2) review any generated SQL/DB migrations and force-release authorization code to ensure you enforce proper RBAC and avoid creating a global unblock power; (3) verify that pessimistic locking is the right choice for your deployment topology (SELECT FOR UPDATE is unsafe across user think-time in many setups); (4) run the concurrent-acquire and timeout tests the plan produces in an environment that resembles production. If you need higher assurance, ask the publisher for a small example patch or unit tests produced by the skill before applying changes directly.
Review Dimensions
- Purpose & Capability
- okName/description ask for an end-to-end Pessimistic Offline Lock implementation plan and the skill's declared inputs (codebase, stack description), tools (Read/Grep/Edit/Write), and dependency on offline-concurrency-strategy-selector align with that purpose. There are no unrelated environment variables, binaries, or configs requested.
- Instruction Scope
- okThe SKILL.md content (shown excerpts) focuses on lock type choice, durable lock manager design, protocol, schema, UX for force-release, and tests. It explicitly requires reading persistence/session code and schema files — which is appropriate for implementing locking. It does not request unrelated file paths, secrets, or transmitting data to external endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec, no downloads, and no code files. That minimizes disk writes and third-party code installation risk.
- Credentials
- okNo environment variables, credentials, or config paths are required. Requested access (codebase, session management, DB schema) is proportionate to implementing lock behavior. The skill does mention force-release authorization/UX; those require appropriate RBAC in the target system but are not requests for secrets from the skill itself.
- Persistence & Privilege
- okalways is false, the skill has no install and does not request persistent system presence or modify other skills. It will read and edit project files (as declared) which is expected for an implementation task.