Skillv1.0.0

ClawScan security

smart-file-organizer-pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 12, 2026, 3:50 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match its file-organizer purpose, but the SKILL.md/README reference several auxiliary scripts (backup.py, batch.py, watch.py) that are not present in the package — a packaging/incoherence issue worth resolving before trusting or running it.
Guidance: This package appears to implement a local file organizer and uses only standard Python libraries (no network or secret access). However: (1) SKILL.md/README reference additional scripts (backup.py, batch.py, watch.py) that are missing from the manifest — ask the publisher for the missing files or a corrected package before use. (2) Always run first in preview/dry-run mode and inspect the generated .history and Backup folders to confirm behavior. (3) Review the organize.py, undo.py, and any backup logic yourself (or in a sandbox) before running on important directories; run on a small test folder first. If you need the advertised batch/watch/backup features, request the missing scripts and verify they do not perform unexpected network or credential operations.

Review Dimensions

Purpose & Capability: noteName/description (file organizer) aligns with the provided Python scripts (organize, analyze, history, undo). The requested runtime binary (python3) is appropriate. However, the documentation and SKILL.md advertise features (backup management, batch processing, watch/monitoring) that invoke scripts (scripts/backup.py, scripts/batch.py, scripts/watch.py) which are not included in the file manifest — this is an inconsistency between claimed capabilities and the actual files.
Instruction Scope: noteSKILL.md instructs the agent to run local scripts in scripts/*.py (organize/analyze/history/undo) which is consistent with included code. The instructions do not request environment secrets or external endpoints. They do reference setting PYTHONIOENCODING and provide CLI options (preview/dry-run) — the presence of preview and undo is good. The concern: SKILL.md also shows commands for scripts that are missing; those instructions would fail or might indicate incomplete packaging.
Install Mechanism: okNo install spec (instruction-only) and required binary is just python3. No remote downloads or package installs are requested. This is low-risk from an install perspective.
Credentials: okThe skill declares no required environment variables or credentials and the code does not read secrets. It only advises setting PYTHONIOENCODING for encoding issues. No broad credential access is requested.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated platform privileges. Scripts create and modify user files (Backup, .history, Reports, Logs) as expected for a file organizer — this is expected but should be noted as standard file-system access.