Back to skill
Skillv1.0.0
ClawScan security
Pulse App Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 7:29 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only developer guide for building Pulse Apps; the files and instructions are internally consistent with that purpose and do not request unexplained credentials or install anything automatically.
- Guidance
- This guide appears coherent and safe as a developer reference. Before running any commands shown (pulse create, npm scripts) inspect the CLI/tool source (pulse) and the app's package.json to confirm dependencies are trustworthy. When you create skills or server functions that run on your host, review their action.ts and server code for secrets, network calls, or unsafe behavior before deploying or registering in a hosted Pulse Editor. If you plan to publish or run apps in a shared environment, ensure the app does not embed credentials or exfiltrate data.
Review Dimensions
- Purpose & Capability
- okThe name/description (Pulse App developer helper) match the SKILL.md content: scaffolding, app architecture, server functions, skills, and config. There are no unrelated required binaries, env vars, or credentials.
- Instruction Scope
- okSKILL.md contains developer guidance, code examples, and CLI commands (pulse create, npm run dev/build). It does not instruct the agent to read system files, exfiltrate data, or access unrelated environment variables. It confines itself to Pulse App development tasks.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only, so nothing will be downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The guide shows typical local dev commands but does not require keys or secrets.
- Persistence & Privilege
- okalways is false and the skill does not request any elevated or persistent system presence. It does not attempt to modify other skills or global agent settings.