Skillv2.0.0

ClawScan security

flutter-schema · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 9:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a self-contained Flutter GetX scaffolding/instruction skill that only generates local Dart files and does not request credentials or perform network activity.
Guidance: This skill is a local scaffolding helper: it generates Flutter GetX page files under your project's lib directory and reads pubspec.yaml to fill package imports. Before using it: (1) run it from your project (or copy scripts/validate.py into your project) so the script can locate pubspec.yaml; (2) back up or review changes before committing, since it will create files; (3) ensure the target directory you pass is inside your project's lib folder (the script enforces this but be careful with symlinks/paths); (4) you need Python available locally to run the script. There is no network activity or credential use in this skill.

Purpose & Capability: okName/description (Flutter GetX scaffold & architecture guidance) match the included artifacts: documentation and a small Python script that generates GetX page files. The requested capabilities (file generation under lib/modules) are appropriate for the stated purpose.
Instruction Scope: noteSKILL.md instructs running the included Python script to create page scaffolding. The script only reads pubspec.yaml (to get the package name) and writes four Dart files under lib (with checks to prevent path traversal). Minor ambiguity: SKILL.md suggests running the script from '~/flutter-schema/scripts/validate.py' while the repository provides scripts/validate.py; the user will need to ensure the script is placed/run in their project environment. No instructions reference external network endpoints or unrelated system files.
Install Mechanism: okNo install spec is provided (instruction-only plus a small helper script). Nothing is downloaded or executed from remote URLs; there are no package installs declared.
Credentials: okThe skill requests no environment variables or credentials. The script reads only local project files (pubspec.yaml) which is reasonable for generating Dart package imports.
Persistence & Privilege: okalways is false and the skill does not request persistent or cross-skill privileges. It only writes files within the project's lib directory and does not modify other skills or system-wide settings.