Back to skill
Skillv1.0.0
ClawScan security
iii-reactive-backend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 4:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only pattern guide for building reactive backends with the iii engine and its requested surface (no installs, no env vars, no filesystem access) aligns with that purpose.
- Guidance
- This is a documentation-style, instruction-only skill that appears coherent with its stated purpose. Before installing/use: (1) confirm your agent runtime actually implements the iii primitives referenced (registerWorker, registerTrigger, state::set, stream::send) — otherwise the examples won't run; (2) note the SKILL.md points to a ../references/reactive-backend.js example that isn't bundled — ensure the agent won't try to load arbitrary filesystem paths or fetch external code without explicit approval; (3) review any example code you paste/run from this pattern for network endpoints, logging, or side-effecting operations before execution; and (4) avoid supplying unrelated secrets — this skill does not require them.
Review Dimensions
- Purpose & Capability
- okName/description describe a reactive backend pattern and the SKILL.md contains only primitives and patterns (registerWorker, registerTrigger, state::set, stream::send) that are coherent with that purpose. Nothing in the metadata asks for unrelated credentials, binaries, or system access.
- Instruction Scope
- noteInstructions are narrowly scoped to implementing reactive state, triggers, and streams on the iii engine. They do reference a relative example file ('../references/reactive-backend.js') that is not bundled; this is a documentation reference rather than an explicit runtime requirement, but you should confirm the agent/runtime will not attempt to read arbitrary filesystem paths to fetch it.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes risk since nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The documented primitives are consistent with an engine-embedded runtime and do not imply unnecessary external secrets.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it doesn't request permanent presence or elevated privileges or propose modifying other skills or system-wide settings.