Back to skill
Skillv1.0.0
ClawScan security
Near Best Practices · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:24 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to be what it claims — a local NEAR best-practices reference implemented as a simple Node CLI with no credentials, network endpoints, or installation steps — but the script file was truncated in the review so full certainty is limited.
- Guidance
- This skill looks like a straightforward, local NEAR best-practices reference implemented as a Node CLI. Before installing: 1) confirm you have Node available (README uses `node scripts/best.js`) — the skill metadata did not declare this binary requirement; 2) review the remainder of scripts/best.js (the provided file was truncated in the review) to ensure there are no unexpected network calls, file writes, or child-process executions in the unseen portion; 3) if you allow autonomous invocation, be aware the agent could run the bundled script without further prompts (this is normal), but the script as shown only prints local content and does not access secrets. If you are not comfortable reviewing the full file yourself, request the complete script content before installing.
Review Dimensions
- Purpose & Capability
- noteName, description, README, SKILL.md, and the provided scripts/best.js are consistent: a searchable best-practices guide for NEAR. Minor coherence issue: README and script usage expect the 'node' runtime, but the registry metadata lists no required binaries. Requiring Node is reasonable for a JavaScript CLI, but it wasn't declared.
- Instruction Scope
- okSKILL.md instructs the agent to expose CLI-like commands (browse/search/get/list/random) that match the functions implemented in scripts/best.js. The instructions do not ask the agent to read unrelated files, access credentials, or send data externally.
- Install Mechanism
- okThere is no install spec (instruction-only skill with bundled code). No external download/install steps are present. The package is self-contained and appears to only require a Node runtime to run the included script.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The content and code do not indicate a need for secrets or external service credentials.
- Persistence & Privilege
- okThe skill does not request always:true and does not declare elevated privileges. It can be invoked by the agent (normal default). There is no evidence it modifies other skills or system-wide settings.