Skillv1.0.0

ClawScan security

Code Diff Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 5:08 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to be a straightforward Node.js diff viewer whose code and runtime instructions align with the stated purpose, but there are a few mismatches and small risks you should review before installing (unknown source, name/slug mismatch, and unverified 'git' integration).
Guidance: This skill is largely coherent with its description, but review these before installing: - Source provenance: the skill has no homepage and an unknown owner — treat as untrusted until you verify the origin. Prefer packages from known maintainers. - Name/slug mismatch: SKILL.md calls itself 'skylv-diff-viewer' while the registry name is 'Code Diff Tool' — this could be benign but is worth noting. - Git integration: SKILL.md documents a 'git' command. Confirm the code does not call external commands or spawn git (inspect the remainder of diff_engine.js for child_process usage). If it spawns git, ensure your environment has the git binary and do not point it at sensitive repos. - File access: the tool will read the files and directories you provide and will write an HTML output (diff.html). Do not run it on sensitive directories or files containing secrets unless you inspect the code and are comfortable. - Missing/uncertain claims: claims like streaming for >10MB are not visible in the excerpt — if you need that behavior, test on large files. Recommended actions: run the tool on a non-sensitive example repository first, inspect the full diff_engine.js for any child_process, network (http/net) usage, or unusual file writes, and consider running it in an isolated environment (container) if provenance is unclear.

Review Dimensions

Purpose & Capability: okThe description (side-by-side diffs, syntax highlighting, HTML export) matches the included diff_engine.js which implements an LCS-based diff, renderers, and HTML export. There are minor inconsistencies: the registry name is 'Code Diff Tool' while SKILL.md identifies itself as 'skylv-diff-viewer' and the package claims streaming for >10MB which isn't obviously implemented in the visible code. Overall the required capabilities (reading files/directories) are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md tells the agent to run node diff_engine.js commands (diff, sbs, words, html, dir, git). Those instructions are within the expected scope (compare files/dirs, produce HTML). Two points to check: (1) SKILL.md references a 'git' integration but the provided code excerpt does not show a child_process or git invocation — if the code attempts to run 'git' it will require the git binary but SKILL.md does not declare that dependency; (2) the skill will read any files/directories you point it at and will write output files (e.g., diff.html), so do not run it against sensitive system paths or secrets without review.
Install Mechanism: okThere is no install spec (instruction-only skill with bundled code), which minimizes installer risk. The skill is pure Node.js and has no external package download instructions. The code will be executed by node from the included file — no network-fetching install steps are present in the manifest.
Credentials: okThe manifest requests no environment variables or credentials and the code excerpt does not access process.env secrets. The only potentially sensitive I/O is file system read/write of files/directories you pass in (which is expected for a diff tool).
Persistence & Privilege: okThe skill is not forced-always and is user-invocable; it does not request elevated persistence or attempt to modify other skills. Autonomous invocation is allowed by default but does not combine here with other red flags.