Skillv1.0.0

ClawScan security

Api Doc Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 6, 2026, 3:18 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (static parsing of code to produce API docs) but contains inconsistencies that warrant caution—most notably a claimed 'standard library only' dependency posture that contradicts the presence of requirements.txt (pyyaml) and a few small documentation mismatches; confirm there is no code execution of analyzed sources before trusting it with untrusted code.
Guidance: Things to check before installing or running: - Dependency mismatch: SKILL.md claims 'standard library only' but requirements.txt includes pyyaml; expect to install at least pyyaml if you run the tool. Decide whether you are comfortable installing that dependency. - Confirm the generator parses code statically (AST/regex) and does NOT execute the supplied code strings. Review generator.py for any use of exec/compile/subprocess or dynamic imports. The CLI reads files and passes them as text to generator functions — if generator executes them, that would be dangerous for untrusted code. - Run the tool and its tests in a sandbox or isolated environment (container/VM) before using it on sensitive projects. The package includes tests (pytest) you can run locally to validate behavior. - Be aware of minor documentation inconsistencies (README mentioning NestJS; SKILL.md not) and the presence of price tiers in SKILL.md—these are not security issues but indicate the project may have been copy-pasted or incompletely edited. - If you need higher confidence, ask the maintainer for provenance (source repo/homepage) or request an explicit statement that user code is never executed and that no network exfiltration occurs. If the source is unknown and you must analyze untrusted code, run the tool only on isolated infrastructure.

Review Dimensions

Purpose & Capability: noteName/description match the code: the package is a CLI + generator that parses code and emits Markdown/OpenAPI/Postman. However SKILL.md and README conflict: SKILL.md claims 'only standard library (no external deps)' while requirements.txt lists pyyaml (and README lists NestJS support not present in SKILL.md). The presence of requirements.txt contradicts the 'standard library only' claim and should be resolved.
Instruction Scope: okRuntime instructions in SKILL.md are limited to analyzing code files or code strings, batch processing directories, and exporting docs. The CLI reads files and passes code text to the generator functions. There are no instructions to read unrelated system files, export credentials, or send data to external endpoints.
Install Mechanism: noteThere is no install spec in the registry (instruction-only), so nothing will be automatically downloaded. The repository includes requirements.txt listing pyyaml (and tests require pytest). That is consistent with generating YAML output but contradicts the SKILL.md 'standard library only' claim. No high-risk external downloads or URL-based installers are present.
Credentials: okThe skill declares no required environment variables, no credentials, and no special config paths. The requested surface is proportional to an offline code-analysis tool.
Persistence & Privilege: okThe skill is not always-on and does not request elevated or persistent platform privileges. It is user-invocable and allows autonomous invocation by the agent (platform default), which is expected for skills.