Skillv1.0.1

ClawScan security

orbcafe-layout-navigation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 1:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, required actions, and outputs are consistent with building an application shell/navigation UI; it does not request credentials or hidden endpoints, but it does ask you to run npm installs from public registries so you should vet the packages before installing.
Guidance: This skill appears coherent for building ORBCAFE UI shell and navigation. Before running anything: 1) verify the npm package 'orbcafe-ui' (check its npm page or source repo) and confirm you trust it; 2) run npm installs in an isolated/dev environment (not on a production host) and run 'npm audit' or similar; 3) review example scripts (examples/*) before executing 'npm run dev' because they can run arbitrary code; 4) confirm the referenced local path 'skills/orbcafe-ui-component-usage/...' exists and is the expected, trusted content; 5) pin package versions or use a lockfile to avoid unexpected upstream changes. If any of those checks fail or the package source is unknown, treat the install as higher risk.

Review Dimensions

Purpose & Capability: okThe name/description (ORBCAFE layout/navigation) matches the SKILL.md steps: install UI libs, choose a shell pattern, wire providers, and produce layout code. Nothing requested (no env vars, no binaries) is disproportionate to building a UI shell.
Instruction Scope: noteInstructions are scoped to development tasks: check a module contract file, install npm deps, run example dev server, and generate layout/provider code. They do reference a workspace path ('skills/orbcafe-ui-component-usage/references/module-contracts.md') which requires that other repo/skill files exist; this is likely an integration convenience but you should confirm those referenced local files are the intended sources.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but SKILL.md instructs running 'npm install orbcafe-ui @mui/...' and starting examples. This pulls code from public npm registries (no direct URLs), which is expected for a UI integration but carries the normal risk of installing third-party packages and running example/dev scripts. Review the 'orbcafe-ui' package source and example scripts before running.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the instructions do not ask for secrets or system config. That is proportionate for a UI/layout helper.
Persistence & Privilege: okalways is false and there are no install scripts that embed persistent agent behavior in the registry metadata. As an instruction-only skill it does not request elevated or permanent platform privileges.