Skillv1.0.0

ClawScan security

Vibration Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 3:20 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only vibration-analysis helper whose requested inputs, outputs, and procedures align with its stated purpose and it does not request extra credentials or install code.
Guidance: This skill is an instruction-only analyzer and appears to be what it claims. Before installing/use: (1) decide how the required telemetry (CMS trends, spectra, SCADA alarms) will be provided — manually paste/upload or via a connector that has its own credentials; the skill does not include or request those credentials; (2) verify site-specific baselines and thresholds before acting on shutdown recommendations (the doc itself cautions to use site baselines); (3) if you plan to let the agent fetch data automatically, do not grant network/credential access without reviewing which connector will be used; (4) review any produced 'immediate shutdown' recommendation with an engineer before executing physical actions. If you want the skill to fetch CMS/SCADA directly, ask the author to declare required env vars or connector steps so the permission surface is explicit.

Purpose & Capability: okThe name/description (wind-turbine drivetrain vibration analysis) matches the SKILL.md content: thresholds, fault signatures, severity rules, and a report format. No unrelated binaries, config paths, or credentials are requested.
Instruction Scope: noteInstructions ask the agent to 'collect inputs' (CMS trends, RMS, spectrum, SCADA alarms, operational context) but do not specify how to obtain them. This is coherent if the user supplies data manually, or if the agent is expected to call other platform skills/APIs — however, the skill does not declare any credentials or data-access steps. If you expect the skill to automatically fetch CMS/SCADA data, you'll need to provide appropriate data connectors/credentials externally.
Install Mechanism: okNo install step or code is present (instruction-only), so nothing is written to disk or downloaded. This minimizes install-time risk.
Credentials: okThe skill declares no environment variables, credentials, or config paths. That matches the SKILL.md which operates on user-provided telemetry and report generation; there are no disproportionate secret requests.
Persistence & Privilege: okalways is false and disable-model-invocation is false (normal). The skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed by default but not unusual; combine with other red flags before restricting.