Back to skill
Skillv1.0.0
ClawScan security
Skylv Skill Quality Assurance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 4:38 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and runtime instructions are internally consistent with its stated purpose of scoring SKILL.md files; nothing requests unrelated credentials or installs arbitrary code from the network.
- Guidance
- This skill appears coherent and safe to inspect/run. Before executing: (1) review engine.js locally (done here) and confirm you are comfortable running Node code; (2) note that the engine will read SKILL.md and README.md files in whatever directory you pass it — avoid pointing it at directories containing sensitive secrets or private keys; (3) SKILL.md refers to a fixer script (fix_skill_md.cjs) that's not included — don't expect an auto-fix capability unless you supply or review that script; (4) run the tool under an unprivileged account or inside a disposable container if you want extra caution. Confidence in this assessment is high given the provided files and lack of network or credential access.
Review Dimensions
- Purpose & Capability
- okName/description match the delivered artifacts: SKILL.md and a Node.js engine that reads SKILL.md/README.md files and scores them. No unexpected environment variables, binaries, or cloud credentials are requested.
- Instruction Scope
- noteSKILL.md instructs running node engine.js against a local skill path and the engine reads SKILL.md/README.md files in whatever directory you supply. SKILL.md mentions a companion auto-fix script (fix_skill_md.cjs) but that file is not present in the package — minor incoherence (documentation references non-existent helper).
- Install Mechanism
- okNo install spec is provided and there are no external downloads. The package is instruction-only plus a single local engine.js file and uses only built-in Node modules (fs, path). No network fetches or archive extraction are present.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The engine operates on files under the user-specified target directory, which is appropriate for a documentation linter/QA tool.
- Persistence & Privilege
- okalways is false; the skill does not modify other skills or system-wide agent settings. It only reads local files and prints reports to stdout; no persistent agent changes or elevated privileges are requested.