Back to skill
Skillv1.0.0
ClawScan security
Brew Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 1:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it only runs Homebrew CLI commands to audit packages, requests no credentials, and its files/instructions match the stated purpose.
- Guidance
- This appears safe and coherent for macOS users with Homebrew installed. Before installing/using: (1) confirm you're on macOS and have 'brew' available, (2) review the included script (it is short and readable), (3) note that running 'brew cleanup' or 'brew upgrade' will change system state—only run those if you intend to update/remove packages, and (4) consider asking the registry owner to set the OS restriction to macOS/darwin to avoid accidental use on unsupported systems.
Review Dimensions
- Purpose & Capability
- okName and description match the included script and SKILL.md. The skill only requires the 'brew' binary which is appropriate for a Homebrew audit. Minor mismatch: SKILL.md metadata indicates macOS (darwin) but the registry lists no OS restriction—this should be reconciled but does not affect functionality.
- Instruction Scope
- okSKILL.md and the script instruct only to run brew commands (outdated, cleanup --dry-run, doctor, list, --prefix). The script does not read arbitrary files or environment variables, nor does it post data to external endpoints. Note: Homebrew commands may contact network services as part of normal operation (e.g., checking for newer versions), which is expected behavior.
- Install Mechanism
- okNo install spec (instruction-only) and included script is plain shell. Nothing is downloaded or extracted by the skill itself. Risk is low because no external installers or URL-based payloads are used.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script does not access secrets or unrelated system config.
- Persistence & Privilege
- okalways:false (no forced inclusion). The skill is user-invocable and allows normal autonomous invocation, which is the platform default. The skill does not modify other skills or system-wide configs.