Skillv1.0.0

ClawScan security

Local Model Quantization Router · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 8:05 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose: it is a local-only router that recommends model families and quantization levels based on supplied hardware and task parameters and does not contact external endpoints or request credentials.
Guidance: This skill appears to do exactly what it claims: local routing recommendations from supplied hardware and task inputs. Before using it: (1) review any hardware JSON you pass in (the script will read it); (2) avoid putting sensitive secrets into the --task text or into the output file because the script includes the inputs in its JSON output; (3) be careful if automating decisions based solely on these recommendations — the script may recommend 'local-only' or 'hybrid' even when hardware is constrained, so validate feasibility on your systems; and (4) if you need networked or cloud failover, ensure that downstream systems implementing the fallback are secure. There are no network calls, credential requests, or install-time downloads in the code provided.

Purpose & Capability: okName/description (local model routing and quantization) match what the SKILL.md and the included Python script do: they take hardware and task parameters and return a routing recommendation and quantization suggestion. The models and endpoints referenced (Qwen, Ollama-compatible endpoint) are consistent with the stated purpose.
Instruction Scope: okSKILL.md instructs the agent to run the included script with flags or JSON input and to use the output for routing evidence. The script only reads an optional hardware JSON file, the CLI args, writes an optional JSON output file, and prints results. It does not read other system files, environment variables, or send data externally.
Install Mechanism: okThere is no install spec (instruction-only skill with a bundled script). Nothing is downloaded or extracted during install, and no unusual package sources or installers are present.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. The script uses only CLI flags and an optional hardware JSON provided by the user—proportional to the stated functionality.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable (defaults). It does not modify other skills or system-wide settings and does not request elevated or persistent privileges.