Skillv1.0.0

ClawScan security

Universal Code Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 2:49 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, files, and requirements are consistent with a tool that designs and reviews staged source-to-source translation pipelines; it does not request unrelated credentials, installs, or persistent privileges.
Guidance: This skill is coherent and appears safe to install from a permissions standpoint, because it requests no credentials or installs. Before using it, ensure you: (1) provide representative fixtures (the skill expects them) rather than letting the agent infer broad context; (2) run any parser builds, compilers, or tests in a controlled environment (the guidance suggests running reparses and compilation checks, which will execute tooling); (3) pin Tree-sitter and toolchain versions in your implementation to avoid upstream surprises; and (4) review any generated or executed commands before permitting the agent to run them (to avoid accidental execution of untrusted build/test scripts). If you need higher assurance, request an explicit list of commands the agent will run and the exact parser/emitter dependencies it plans to use.

Purpose & Capability: okName and description match the SKILL.md guidance and included reference docs. References to Tree-sitter, IR design, and validation are expected for a code-conversion architecture guide; no extraneous binaries, env vars, or unrelated prerequisites are requested.
Instruction Scope: okRuntime instructions are focused on designing, probing, implementing, and validating translation pipelines. They reference included reference files and ask for representative snippets/fixtures from the user. They do not instruct the agent to read system secrets, arbitrary filesystem paths, or send data to external endpoints.
Install Mechanism: okNo install spec or code files are present; this is instruction-only and therefore does not write or execute downloaded code during install. Risk from install mechanism is minimal.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Its Tree-sitter and build/test references are proportionate to the stated purpose and appear as implementation guidance rather than hidden requirements for sensitive data.
Persistence & Privilege: okalways is false and the skill is user-invocable only. It does not request to modify other skills or system-wide settings; no elevated persistence is requested.