Back to skill
Skillv1.0.0
ClawScan security
Code Documentor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 11:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, scope, and requirements line up with a documentation-generation tool; it requests no credentials or installs and appears internally consistent.
- Guidance
- This skill appears coherent and doesn't request credentials or perform installs, but it will need access to your codebase to generate docs. Before using it: (1) run it on a copy or limit the requested files/directories to avoid exposing secrets; (2) review generated documentation for accidental inclusion of private data (keys, tokens, internal paths); (3) confirm license and third-party attribution in generated READMEs and API docs; and (4) if you allow autonomous runs, consider restricting its scope or confirming each run so it doesn't scan the entire repository automatically.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md content: templates, supported languages, and commands are all consistent with a code documentation generator. There are no unrelated environment variables, binaries, or config paths requested.
- Instruction Scope
- noteSKILL.md gives templates and user-facing commands (e.g., 'document this code', 'generate README for [project]'). It does not instruct the agent to contact external endpoints or access system-wide credentials, but it is somewhat vague about which files or directories to operate on and does not include guidance to avoid secrets or large-scale repository scanning. This grants the agent normal discretionary access to the repository/workspace when invoked — expected for this type of skill, but users should limit scope when running it.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk by an installer, which minimizes install-time risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The lack of secret requests is appropriate for a document-generation skill.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated privileges. Autonomous invocation is allowed by platform default but the skill itself does not demand extra system presence or modify other skills.