Skillv1.0.0

ClawScan security

me.txt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 10:56 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are consistent with its stated purpose (creating, fetching, and validating me.txt identity files) and request no unrelated credentials or system access.
Guidance: This skill is internally coherent and does not ask for secrets or unusual system access. Things to consider before installing or using it: (1) The SKILL.md recommends using 'npx create-me-txt' — running npx will download and execute a package from the npm registry, so verify the CLI package's source before running it. (2) The skill fetches public URLs and a metxt.org lookup API to find me.txt files — ensure you trust that directory service before relying on it. (3) me.txt files are publicly served content; avoid including sensitive personal data (unobfuscated emails, private tokens, or private contact details) in a me.txt you host. (4) If you prefer no remote code execution, you can manually create the me.txt per the provided template instead of running npx. (5) Because the skill can cause network fetches, be mindful about automated/unsupervised invocation: autonomous invocation is allowed by default but here it would only perform public lookups and generation steps. Overall this skill appears benign and appropriate for its stated purpose.

Review Dimensions

Purpose & Capability: okThe name and description (me.txt identity files) match the SKILL.md content. The skill requires no binaries, env vars, or config paths and only describes creating/fetching/validating me.txt files and where to place them. References to the metxt.org spec and an optional npx CLI are congruent with the stated purpose.
Instruction Scope: noteRuntime instructions stay within the stated scope: they ask the agent to gather basic personal info from the user, produce a me.txt file, fetch me.txt from public URLs, or validate structure. The SKILL.md does instruct network lookups (https://domain.com/me.txt, /.well-known, and a metxt.org lookup API) and suggests using 'npx create-me-txt' for convenience — these are expected for this skill but do involve fetching remote resources. The instructions do not request unrelated local files, credentials, or system configuration.
Install Mechanism: noteThere is no install spec and no code files (instruction-only), which is lowest risk. The documentation does reference 'npx create-me-txt' and other CLI tools; running those would cause npm to fetch code at runtime. That is not part of this skill itself, but users should be aware running npx executes remote package code.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is proportional to its functionality: creating/validating a public text file and fetching public URLs do not require secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent system presence, nor does it modify other skills or system-wide settings. The default ability for the agent to invoke the skill autonomously is present but not combined with other concerning privileges.