Skillv1.0.0

ClawScan security

Skylv Changelog Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 20, 2026, 5:54 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only changelog generator that is internally consistent with its stated purpose and requests no installs, credentials, or special privileges.
Guidance: This skill appears low-risk and coherent. Before using, decide how the agent will get commit history: grant repository access only if you trust the agent and the hosting environment, or paste/supply commit logs manually. Review commit messages and history for sensitive data before sharing. If the agent asks for repository credentials or asks to run git commands on your machine, confirm exactly what will be accessed and limit permissions (read-only) where possible.

Purpose & Capability: okName/description (generate changelogs from git history using conventional commits) match the SKILL.md content. The declared capabilities do not request unrelated tools, credentials, or installs.
Instruction Scope: noteSKILL.md stays within the changelog generation purpose and documents commit types and output format. It does not specify how the agent should obtain commit history (e.g., run git commands, read pasted logs, or access a remote repo), so the agent may need to request repository access or ask the user for commit data; this is a functional gap rather than a security mismatch.
Install Mechanism: okNo install spec and no code files (instruction-only). Nothing is written to disk or fetched at install time.
Credentials: okNo environment variables, credentials, or config paths are requested. Nothing in the SKILL.md attempts to access secrets or unrelated services.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide changes or additional privileges. Autonomous invocation is allowed by default but not combined with other red flags here.