Back to skill
Skillv1.0.0
ClawScan security
Gpt Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 4:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are internally consistent with its stated purpose (GPT detection/model fingerprinting), request no credentials, perform no network or filesystem access, and appear to be an instruction-only heuristic implementation.
- Guidance
- This skill appears coherent and low-risk from a security standpoint: it runs only text-based heuristics and asks for no credentials or installs. However, the detection logic is a simple heuristic (phrase lists, structure and length metrics) and may produce false positives/negatives or be biased by writing style; do not rely on it for high-stakes decisions. If you will analyze sensitive content, remember the agent will pass that text into the skill at runtime — ensure you trust the agent runtime/environment. You may also consider: (1) testing the skill on representative samples before relying on results, (2) preferring validated detection tools or multiple detectors for critical use, and (3) reviewing or adapting the phrase lists/thresholds if you have domain-specific needs.
Review Dimensions
- Purpose & Capability
- okName/description match the provided implementation: the SKILL.md contains a self-contained JavaScript heuristic function that analyzes text for GPT-like phrases, structure, and sentence uniformity. Nothing requested (no env vars, no binaries, no installs) is disproportionate to this purpose.
- Instruction Scope
- okRuntime instructions and example usage show only local text analysis via the analyzeGPTContent(text, options) routine. The instructions do not direct the agent to read files, network endpoints, or unrelated environment variables.
- Install Mechanism
- okThere is no install specification and no code files beyond the SKILL.md sample — lowest-risk, instruction-only arrangement. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The analysis operates purely on provided text input, so no secret access is requested or required.
- Persistence & Privilege
- okalways is false (default) and the skill does not request persistent system presence or modify other skills. Autonomous invocation is enabled by default on the platform but is not combined with any elevated privileges or sensitive access here.