Back to skill
Skillv1.0.0
ClawScan security
Promote Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 8:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only publishing checklist for promoting SKILL.md files and its requested actions and inputs are coherent with that purpose.
- Guidance
- This is a coherent publish/promote checklist, but take these precautions before using it: (1) never expose real secrets — follow the pre-publish secrets scan and run it in a directory that only contains the skill source (or inspect the grep hits manually); (2) prefer dry-run options (sh1pt/ugig CLIs often support --dry-run) and review generated commands before executing them; (3) when asked for credentials or an authenticated browser profile, supply only the minimum required and avoid automated uploads using unknown tooling; (4) verify any public raw URL contains no secrets and confirm paywalled/content-gating works as expected before linking it in marketplace listings; (5) ensure you own the content and have the right to publish it. Given these caveats, the skill appears internally consistent with its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: everything relates to publishing a SKILL.md to marketplaces. Optional mention of marketplace credentials or an authenticated browser profile is expected for publishing workflows.
- Instruction Scope
- noteSKILL.md stays within publishing/promotion scope (validate, create public raw URL, run marketplace CLIs or forms). It recommends a recursive secrets grep (grep -RInE ...) across the current dir which is reasonable for pre-publish scanning but does read local files beyond the SKILL.md — users should be aware this inspects files in '.' and avoid running it in directories containing unrelated secrets.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Risk is low because it does not download or install third-party artifacts.
- Credentials
- okThe skill declares no required env vars or credentials. It sensibly lists marketplace credentials/browser profile as optional inputs for publishing; this is proportional to the task.
- Persistence & Privilege
- okalways:false and default invocation settings are used. The skill does not request permanent presence or modify other skills/config; no elevated privileges are requested.