Back to skill
Skillv1.0.1
ClawScan security
Game Design Prototyping Companion · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 11:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose (recording prototype nodes and optionally rendering a local SVG); there are no hidden network calls or unexplained credential requests.
- Guidance
- This skill appears coherent and benign. Before installing or running it: 1) ensure the agent environment has a Python runtime available (the skill's script expects to be invoked but the SKILL.md doesn't declare 'python'), 2) run the renderer (scripts/branch_map_svg.py) on JSON you create or review first — it reads whatever input path you give and will write the specified output.svg locally, so avoid passing sensitive filesystem paths, and 3) verify the produced SVG before sharing externally. If you plan to allow autonomous invocation, be aware the agent could run the script on any file it has access to, so restrict agent filesystem permissions or only permit runs with vetted JSON inputs.
Review Dimensions
- Purpose & Capability
- okThe name/description ask for prototype logs and optional SVG visualization; included references, example JSON, and a renderer script all directly support that purpose. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md confines actions to producing structured prototype data and, if requested, writing a JSON file and running the bundled script to render an SVG. The instructions do not request reading unrelated system files, environment variables, or sending data to external endpoints.
- Install Mechanism
- noteThis is an instruction-only skill with no install spec (low risk). The packaged renderer is a Python script that reads JSON and writes an SVG; the skill does not declare the Python interpreter as a required binary or provide a shebang. Users or the agent will need a Python runtime available to execute the script.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script only reads the provided JSON input path and writes the SVG output path.
- Persistence & Privilege
- okThe skill is not forced-always and does not request persistent privileges or modify other skills. It only writes an output SVG file when run, which is expected behavior for its purpose.