Back to skill
Skillv1.0.0
ClawScan security
Source Code Security Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only white-box source-code security review guide and its requirements (no installs, no credentials, reading a codebase) match the described purpose.
- Guidance
- This skill is coherent for authorized white-box reviews, but note it will read entire source trees (which often contain sensitive secrets). Only run it when you have explicit authorization and ensure the agent's access is limited to the intended repository and timeframe. Treat any discovered hardcoded credentials or PII as sensitive — store reports securely and rotate credentials found in code. If you need the agent to avoid transmitting findings outside your environment, verify the agent/tooling network policy (the SKILL.md itself does not request external uploads, but platform settings may).
Review Dimensions
- Purpose & Capability
- okName and description describe a source-code security review and the skill only requests a codebase input and standard read/grep tools; there are no unrelated credentials, binaries, or installs.
- Instruction Scope
- okSKILL.md instructs the agent to run a structured, code-focused three-phase review (identify entry points, trace to sinks, line-by-line review) and to read repository source and config files — this stays within the declared purpose and does not direct unrelated system access.
- Install Mechanism
- okNo install spec and no code files are present; the skill is instruction-only so nothing is written to disk or fetched at install time.
- Credentials
- okThe skill declares no environment variables, no credentials, and no config paths. The only required input is the codebase itself, which is appropriate for a white-box review.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modifications to other skills. Autonomous invocation is allowed by platform default but is not combined with other concerning capabilities.