Skillv0.1.0

ClawScan security

Workspace Hygiene Publish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 7:36 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and included script are consistent with a workspace-audit/cleanup tool: it only needs python3 and operates on files under the given workspace path (it can read and write there, and optionally merge memory files when run with --fix).
Guidance: This skill appears to do what it says: audit and (optionally) perform low-risk fixes inside the workspace path you supply. Before installing or running it: 1) review scripts/hygiene.py locally (it is included) to confirm behavior; 2) run it in read-only/report mode first (use --report-only) to see what it would change; 3) back up the workspace or test in a copy before using --fix; 4) avoid running as privileged users (don't run as root); 5) note it will write a report to projects/system/hygiene-YYYY-MM-DD.md and may merge memory files (it does not delete sources but does append contents), so inspect results before removing originals; and 6) if you do not want the agent to autonomously run hygiene audits, disable autonomous invocation via your agent policy (the skill itself does not require this).

Purpose & Capability: okName/description match the included assets: SKILL.md, audit.md, memory-format.md, rag-index.md, and a Python script that performs the described audits. Required binary is only python3, which is appropriate for a Python audit script.
Instruction Scope: noteRuntime instructions are localized to the provided workspace path. The script reads many workspace files and directories, reports issues, writes a health report to projects/system/hygiene-YYYY-MM-DD.md, and — if invoked with --fix — will perform low-risk fixes such as appending contents from timestamped memory files into date files. This is expected but means the tool will modify files when run with fixes enabled; use --report-only to avoid modifications.
Install Mechanism: okInstruction-only skill with an included Python script and no install spec. No external downloads or package installations are requested. This is low-risk and consistent with the stated purpose.
Credentials: okNo environment variables, credentials, or external endpoints are requested or referenced. The script uses only standard library imports and operates on the filesystem under the workspace path, which aligns with the stated functionality.
Persistence & Privilege: okalways is false and the skill does not request permanent platform-level privileges. It writes reports and may modify files inside the provided workspace path when run with --fix, which is appropriate for a hygiene/cleanup tool.