Back to skill
Skillv1.0.0
ClawScan security
Web Application Hardening Assessment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are consistent with a white‑box/black‑box web-application hardening assessment and do not request unexplained credentials, installs, or elevated persistence.
- Guidance
- This skill appears coherent for authorized security reviews, but it will read source code, configs, and logs — which can contain secrets or sensitive customer data. Only run it with explicit authorization and a clearly defined scope. Prefer running the skill in an isolated environment or a copy of the codebase, review any generated reports before sharing, and avoid enabling optional network fetch capabilities unless you trust the endpoints. If you need stricter controls, require the skill to operate on sanitized artifacts (redacted logs, test accounts) rather than production data.
Review Dimensions
- Purpose & Capability
- okThe name/description (web application hardening) match the declared inputs (codebase, HTTP logs, server configs) and the listed tasks (input validation, error-handling, server hardening). No unrelated credentials, binaries, or installs are required.
- Instruction Scope
- noteSKILL.md instructs the agent to read source code, config files, and traffic logs and to produce a findings report — appropriate for white-box/config audits. This inherently involves accessing potentially sensitive project data; the skill does note that testing must be authorized. The instructions do not appear to direct exfiltration to external endpoints, but optional network fetch tooling could enable outbound requests if used.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only), so nothing is written to disk or downloaded during install — lowest-risk pattern.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. Required access (codebase, logs) is proportional to the stated purpose of code/config inspection and architecture review.
- Persistence & Privilege
- okalways is false, model invocation is allowed (normal), and the skill does not request persistent system-wide privileges or to modify other skills. No elevated persistence is requested.