Back to skill
Skillv1.0.0
ClawScan security
flutter-hive-database · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 9:26 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code-generation actions (reading pubspec.yaml, creating/updating files under lib/) match its stated purpose and do not request credentials or contact external hosts; it modifies only the user's Flutter project files as intended.
- Guidance
- This skill appears coherent: it is a local code generator that writes Dart files into a Flutter project. Before running it, commit or back up your project so you can review changes; inspect diffs after generation to ensure injected code matches expectations. Only run the script on projects you trust. Although the script validates paths and names to prevent path traversal, it will modify files under the provided project root (including injecting CRUD methods into existing repository files), so review generated code and run tests. If you want tighter control, run the generator manually from a shell rather than allowing autonomous agent invocation.
Review Dimensions
- Purpose & Capability
- okName/description (Flutter Hive codegen) match the behavior: the skill provides a local Python generator that reads pubspec.yaml and writes Dart files under the project's lib/ tree. No unrelated credentials, binaries, or external services are requested.
- Instruction Scope
- noteSKILL.md instructs running the included generate.py with a project root and optional feature/name/entity. The script legitimately reads pubspec.yaml and lib/ and creates or updates Dart files. This is in-scope for a code generator, but be aware it will write into your project files and can inject CRUD code into existing repository files.
- Install Mechanism
- okNo install spec; the skill is instruction-only with one bundled Python script. Nothing is downloaded or executed from remote URLs; risk is limited to local file operations performed by the script.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The script only reads project-local files (pubspec.yaml) and uses the validated --project and --feature inputs. No sensitive environment access is requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform-wide privileges. It affects only the specified project directory and does not attempt to modify other skills or global agent configuration.