Back to skill
Skillv1.0.0
ClawScan security
Agent Entropy Meter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 6:01 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, README, and runtime behaviors line up with its stated purpose (measuring entropy and redundancy in agent messages); it does not request credentials, perform network I/O, or install external components.
- Guidance
- This skill appears coherent and low-risk: it implements local statistical computations and does not access network or secrets. Before installing or allowing autonomous invocation: 1) review and run the included module locally on representative sample data to confirm results and performance; 2) note small implementation quirks (e.g., knowledgeOverlap treats non-array inputs as empty rather than accepting Set objects, and jointDistribution pairs messages by index using the shorter length which may ignore unmatched messages) — these are correctness/robustness issues rather than security problems; 3) sandbox execution if you plan to run it on very large datasets to avoid resource exhaustion; and 4) if you need visual output, understand the SKILL.md only suggests piping to external visualizers but does not provide integrations or network calls — add integrations deliberately and review them separately.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md API, and index.js all implement entropy/redundancy metrics (Shannon entropy, redundancy ratio, mutual information, Jaccard overlap). No unrelated dependencies, credentials, or system access are requested.
- Instruction Scope
- okSKILL.md explains when to use the skill and how to call the provided API. It does not instruct the agent to read system files, environment variables, or contact external endpoints. The README suggests piping output to visualization tools, but the package contains no integration or network calls.
- Install Mechanism
- okNo install spec; this is effectively an instruction+library package included as files. package.json is minimal and there are no download/extract/install steps or third-party packages pulled at install time.
- Credentials
- okNo environment variables, credentials, or config paths are required. The code operates purely on in-memory inputs provided to its functions.
- Persistence & Privilege
- okSkill does not request persistent 'always' inclusion and does not modify agent or system configuration. It is user-invocable and can be called autonomously per platform defaults, which is expected for a utility skill.