Back to skill
Skillv1.0.0
ClawScan security
clawhub-skill-forge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 2:22 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only scaffolder for creating ClawHub-ready OpenClaw skills and its requirements, instructions, and lack of installs/credentials are internally consistent.
- Guidance
- This skill is an authoring/scaffolding guide and appears coherent. Before publishing or using generated artifacts, manually review the generated SKILL.md and _meta.json to ensure you haven't accidentally embedded any secrets or surprising network endpoints. When you run the publisher/scanner, iterate on the description summary (first ~160 characters) as recommended. If you plan to publish to a shared registry, confirm the registry owner/slug are correct and inspect the generated files for unintended content before submitting.
Review Dimensions
- Purpose & Capability
- okName and description claim a scaffolding/authoring helper and the skill is instruction-only with no binaries, installs, or credentials required — all of which are appropriate for a scaffolding tool. Nothing in the metadata or files requests unrelated capabilities (cloud credentials, system binaries, etc.).
- Instruction Scope
- okSKILL.md contains detailed, prescriptive instructions for generating SKILL.md and _meta.json files and for complying with the ClawhHub scanner. It does not instruct the agent to read arbitrary host files, access environment variables, call external network endpoints, or perform background processes. The instructions are narrowly scoped to authoring and publishing skills.
- Install Mechanism
- okThere is no install specification and no code files — the skill is instruction-only. This is the lowest-risk pattern and matches the described purpose.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no required config paths. The SKILL.md explicitly states 'No credentials or binaries required' and does not reference accessing other secrets or credentials.
- Persistence & Privilege
- okThe skill is not always:true, does not request persistence or background execution, and contains no instructions to modify other skills or system-wide agent settings. It only instructs generation of two files in a skill directory.