Back to skill
Skillv1.0.0
ClawScan security
Vibe Coding Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 1:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only 5‑phase AI coding workflow whose requirements and runtime instructions are consistent with its stated purpose and do not request extra credentials, installs, or system access.
- Guidance
- This skill is an instruction-only workflow and appears coherent with its stated purpose. Before using it: (1) understand that it generates design docs and code — always review and test any generated code before running it; (2) avoid pasting secrets or credentials into the conversation or artifacts the skill produces; (3) if you expect the agent to edit files in your repo or run commands, confirm what it will change first; and (4) if you want stronger guarantees about privacy or file-system safety, prefer running the workflow in a sandboxed environment or with a human-in-the-loop to approve each change.
Review Dimensions
- Purpose & Capability
- okName and description match the content of SKILL.md: a structured requirements→architecture→code→debug→iterate workflow. The skill requests no binaries, env vars, or config paths that would be unrelated to that purpose.
- Instruction Scope
- okSKILL.md confines actions to conversation, artifact creation (Markdown), architecture diagrams, and stepwise code generation; it does not instruct the agent to read local files, access environment variables, or transmit data to external endpoints beyond normal conversational output.
- Install Mechanism
- okNo install spec and no code files (instruction-only). Nothing is downloaded or written to disk by the skill itself, which minimizes installation risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The instructions likewise do not reference secrets or unrelated services.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent presence or attempt to modify other skills or system-wide settings.