Skillv1.0.0

ClawScan security

revol-guide-creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 6:24 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and required access are consistent with a local project documentation generator: it reads and writes project docs but does not request credentials or make external network calls.
Guidance: This skill appears coherent and focused on creating/updating local project documentation. Before running or granting the agent permission to execute it: 1) Review the two bundled Python scripts (scripts/init_guide.py and scripts/update_guide.py) in your repository copy to confirm they are complete and contain no unexpected network calls — the manifest excerpt shows update_guide.py truncated in the listing, so verify the actual file on disk is intact. 2) Run the scripts in a safe directory or a cloned repository and back up important files first (they will create/overwrite start.md and files under guide/; the scripts prompt for confirmation unless --force is used). 3) If you allow autonomous invocation, remember the agent will read project documentation files to 'recover context' — this is by design, but avoid enabling the skill on projects containing secrets in plain text. 4) If you need stricter safety, run the scripts manually rather than allowing the agent to execute them, or inspect their contents line-by-line. Overall risk is low, but standard caution (backup, review code, run in sandbox) is recommended.

Review Dimensions

Purpose & Capability: okName/description (guide/doc generator) match what the skill does: it creates a start.md and guide/ directory, appends changelog/pitfalls entries, and scans project files. Required permissions (reading/writing files in the project root) are proportional to the stated purpose; there are no unrelated environment variables or external service credentials requested.
Instruction Scope: noteSKILL.md instructs the agent to run the included Python scripts and to read specific documentation files (start.md and guide/*) to 'recover context' — this is expected for a doc generator. The scripts perform file system reads/writes in the project root and prompt the user for interactive input. Note: the provided manifest shows the update_guide.py listing truncated near the end of the printed snippet; verify the stored file is complete before use. Aside from that, the instructions do not direct data to external endpoints or access unrelated system areas.
Install Mechanism: okNo install spec — instruction-only with bundled Python scripts. No downloads, package installs, or external installers are specified, so nothing arbitrary will be fetched or executed beyond the included scripts and python on the host.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. The scripts operate on local files only and do not request secrets or keys. This is proportionate to a documentation authoring/maintenance tool.
Persistence & Privilege: okFlags show always:false (not force-included). The skill is user-invocable and may be invoked autonomously per platform defaults, which is normal; that combined with the script behavior does not introduce additional unexplained persistent privileges. The scripts write files only inside the specified project root and do not modify other skills or global agent configuration.