Back to skill
Skillv0.1.0
ClawScan security
Circos Plot Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 9:50 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose (generating Circos configuration files from CSV inputs); it reads input CSVs and writes local config/data files and does not request credentials or perform network activity.
- Guidance
- This skill appears coherent and focused: it reads CSV input files you provide and writes Circos config/data files to the output directory. Before running, review the input CSVs (make sure they contain only data you intend to share) and set the output path to a directory you control. Note the SKILL.md lists Bash as an allowed tool even though the included Python code doesn't call the shell; if you plan to allow the agent to run Bash commands, be aware that gives the agent broader file- and process-level capabilities. Also the requirements.txt lists 'yaml' but the visible code doesn't import it — you may want to review the full SKILL.md/code to confirm any additional runtime dependencies before executing.
Review Dimensions
- Purpose & Capability
- okName/description (Circos config generator) align with the included code and SKILL.md: the package reads user-supplied CSV data and emits Circos configuration and data files. No unrelated credentials, binaries, or services are requested.
- Instruction Scope
- okRuntime instructions and the Python code operate on user-supplied data files and the local output directory. The SKILL.md allows Read/Write/Bash/Edit tools; the code uses file I/O but does not invoke shell/network calls. The only minor mismatch is that Bash is allowed in SKILL.md but the provided code does not need it.
- Install Mechanism
- okNo install specification (instruction-only) is provided. A small requirements.txt (yaml) is included but no installer is requested. Nothing is downloaded or executed from external URLs.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The code only reads data files supplied via the config and writes output under the specified output directory.
- Persistence & Privilege
- okalways is false and the skill does not request persistent privileges or modify other skills or global agent settings. It creates its own output/data directories only.