Skillv1.0.0

ClawScan security

Hash Toolkit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 20, 2026, 4:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (local hashing and simple deduplication); it requires no credentials or installs and contains only local, instruction-level code examples — but several implementation choices are simplistic and could be misleading for production/cryptographic use.
Guidance: This skill appears to do what it says: local hashing and simple deduplication helpers. It does not request credentials or install software. Before using in production, note these caveats: MD5 and SHA-1 are cryptographically weak — avoid them for security-sensitive integrity or auth; the sha512 result is truncated which reduces entropy and could cause more collisions; the perceptual-hash implementation is only a placeholder and is not suitable for image-similarity detection — use a dedicated pHash/dHash/aHash library; similarity comparison operates on hex characters rather than bit-level Hamming distance. If you need cryptographic guarantees or reliable perceptual matching, replace the placeholder methods with vetted libraries and test on representative data.

Purpose & Capability: okName and description (content hashing, MD5/SHA256, perceptual hashing) match the SKILL.md content. The examples and exported functions implement hashing and duplicate checks; no unrelated binaries, env vars, or external services are requested.
Instruction Scope: noteAll instructions and code are local and self-contained. However, the perceptual hash is a placeholder (lowercasing and hashing) and will not produce meaningful image perceptual hashes; calculateHashSimilarity compares hex-character equality rather than bitwise Hamming distance. generateMultipleHashes includes weaker algorithms (md5, sha1) and truncates sha512 to 32 hex chars, which may mislead users about strength.
Install Mechanism: okInstruction-only skill with no install spec and no external downloads. No code is written to disk by an installer. Low installation risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The required surface is proportional to the stated purpose.
Persistence & Privilege: okDoes not request always-on inclusion, does not modify other skills or system settings. Normal agent-invocation defaults apply.