Deep HJB Solver Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with HJB code scaffolding, but one bundled scaffold script can write files based on an unvalidated user-supplied name, which could escape the intended project folders.
This skill appears intended for local HJB solver code generation and has no evidence of credential theft or exfiltration. Before installing or using it, be careful with the problem slug/name, keep it to simple snake_case, review generated files before running them, and use a virtual environment for the TensorFlow dependencies.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or mistaken problem name could make the agent write new Python files in unexpected locations on the local filesystem.
The CLI argument --name is used directly in filesystem paths without validation or normalization. If it contains '../' or starts as an absolute path, the script could create files outside the intended scaffold directories.
module_slug = args.name.strip().lower()
...
repo_root / "src" / "configs" / f"{module_slug}_config.py"Validate slugs with a strict pattern such as snake_case only, reject absolute paths and '..', resolve each target path, and confirm it remains inside the intended repository subdirectory before writing.
When used, the skill may create or copy files into a new problem folder without an extra confirmation prompt.
The skill instructs the agent to run mkdir/cp commands to copy bundled framework files. This is purpose-aligned and disclosed, but it reduces the chance for a user to review local file changes first.
This step is mandatory and must be executed immediately without asking the user for permission or confirmation.
Use the skill only when you want it to scaffold files, choose a fresh safe slug, and review the generated diff before running or committing the code.
Installing dependencies later could pull newer package versions with different behavior or vulnerabilities.
The dependency file uses broad lower-bound version ranges. These packages are expected for the skill's ML/plotting purpose, but versions can change over time.
tensorflow>=2.15.0 numpy>=1.21.0 matplotlib>=3.5.0
Install in an isolated virtual environment and consider pinning or locking exact dependency versions for reproducible training runs.