Skillv1.0.0

ClawScan security

debug detective · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 3:40 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, examples, and runtime instructions are consistent with a debugging helper: it creates editor/debug configs and helper scripts and does not request unrelated credentials or install remote code.
Guidance: This skill appears coherent for debugging help, but exercise normal caution before running any included scripts: 1) Review scaffold.sh and the generated files (.vscode/, scripts/, .env.debug) so you know what will be created/modified. 2) Run scaffold.sh with an explicit PROJECT_DIR (avoid running in your home or an important repo root). 3) Back up or commit any uncommitted changes before using the bisect scripts (they intentionally stash/pop). 4) Edit the TEST_COMMAND in bisect-test.sh/git-bisect-example.sh so it only runs safe, deterministic tests. 5) Don’t run privileged profiling commands (perf, strace, tcpdump) on production systems without understanding the impact and required permissions. 6) Avoid blindly executing example package installs — verify package names and sources first.

Review Dimensions

Purpose & Capability: okName/description match the provided files and instructions: debugging methodology, profiling guidance, git bisect helpers, and a scaffold script that adds .vscode configs and helper scripts. Nothing in the manifest asks for unrelated credentials, binaries, or system resources beyond what a debugging skill would reasonably use.
Instruction Scope: noteSKILL.md gives step-by-step debugging workflows and example commands (npm, py-spy, perf, strace, curl). The examples are broadly scoped but appropriate for debugging. Notes: some examples require elevated privileges (perf, strace, tcpdump) and some snippets show installing packages (example: 'npm install problematic-library@1.2.3') which are illustrative only — users should not run example installs blindly. The scaffold script writes files into the target project directory and the bisect scripts may stash/un-stash git changes; these behaviors are expected for the purpose but should be run intentionally.
Install Mechanism: okNo install spec; this is instruction-only plus included script files. There are no download/install steps that fetch remote archives or run arbitrary installers. All code is provided in the package, lowering install risk.
Credentials: okSkill declares no required env vars or credentials. The included scripts reference LOG_LEVEL and other optional debug env vars in a .env.debug template — appropriate and proportionate. There are no requests for unrelated secrets or external service tokens.
Persistence & Privilege: notealways:false and the skill does not request permanent elevated platform privileges. The scaffold script creates/overwrites files under the provided PROJECT_DIR (default '.'), and bisect helpers may stash/un-stash local changes — expected for a debugging scaffold. Users should run these scripts from the intended project directory to avoid unintended changes elsewhere.