Back to skill
Skillv98.0.1
ClawScan security
EigenSkill Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 5:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only meta-skill is internally consistent: it provides guidance on building/publishing ClawHub skills and does not request credentials, installs, or perform unexpected actions.
- Guidance
- This appears to be a straightforward, coherent blueprint for creating and publishing ClawHub skills and does not itself request secrets or install software. Before using it in automated workflows, review the full SKILL.md (the snippet is truncated) to ensure no later sections instruct agents to run shell commands that access local files or external endpoints. Also: because it teaches how to build skills, be cautious about automatically publishing outputs from agents that use this meta-skill — manually review any generated SKILL.md or install scripts before publishing, and avoid granting the skill any credentials or always-enabled privileges unless you trust its source.
Review Dimensions
- Purpose & Capability
- okThe name/description match the content: a blueprint for authoring and publishing skills. There are no unrelated required binaries, env vars, or config paths that would be out-of-scope for a meta-skill.
- Instruction Scope
- okSKILL.md content (shown) contains design rules, file layout, YAML frontmatter guidance, references conventions, and negative-boundary guidance. It does not instruct the agent to read system files, access credentials, or transmit data to external endpoints. The examples reference scripts (validate.sh, install.sh) only as optional artifacts, which is coherent for a skill-building guide.
- Install Mechanism
- okNo install spec or code files are present; this is an instruction-only skill. That minimizes risk because nothing will be written to disk or fetched during install.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. That is proportionate to a documentation/meta-skill that only teaches skill structure and publishing workflows.
- Persistence & Privilege
- okalways is false and autonomous invocation is allowed by default (normal). The skill does not request persistent system presence or attempt to modify other skills or system configs.