Skillv1.0.0

ClawScan security

Smart Cache · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 20, 2026, 4:18 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and embedded code match the described caching purpose and do not request unrelated credentials, installs, or system access.
Guidance: This skill is internally coherent and low-risk: it’s an instruction-only skill containing example JavaScript for an in-memory cache and does not request credentials or perform network operations. Before using it in production, note that SKILL.md is only example code (there are no shipped code files or install steps) — you or your environment would need to actually include/execute the code. Review the implementation for scalability and correctness (updateAccessOrder uses array.filter which is O(n) per access and may not scale for large caches; calculateHitRate is a simplistic heuristic, TTL handling is in-memory only and not durable across restarts). If you need a production-ready cache, consider using a well-maintained library (e.g., lru-cache or a managed cache) rather than copying this snippet. Otherwise, it is reasonable to install/invoke for local testing or as a reference.

Purpose & Capability: okName/description (LRU/LFU, TTL) match the JavaScript implementation in SKILL.md. The code implements set/get/delete/evict and exposes SmartCache — all consistent with a caching utility.
Instruction Scope: okSKILL.md contains a self-contained JavaScript implementation and usage examples; it does not instruct the agent to read files, access environment variables, call external endpoints, or exfiltrate data. The instructions stay within the caching scope.
Install Mechanism: okNo install specification or remote downloads are present (instruction-only), so nothing is written to disk or fetched automatically during install — this is the lowest-risk model.
Credentials: okThe skill declares no required environment variables, credentials, or config paths; nothing in the SKILL.md attempts to access secrets or unrelated environment state.
Persistence & Privilege: okalways is false and there is no request to modify agent/system-wide settings. The skill does not ask for persistent presence or special privileges.