Skillv1.0.0

ClawScan security

SearchBar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 8:47 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only, platform-focused helper for a SwiftUI SearchBar component; its requirements and instructions are consistent with that purpose and request no unrelated credentials or installs.
Guidance: This skill appears coherent and focused on authoring-help for a SwiftUI SearchBar. Before installing or recommending the package in a project: (1) verify the GitHub repository and maintainer (SzpakKamil/SearchBar) and review the package source and license, (2) confirm the package version and that it meets your deployment-target and security policies, (3) inspect any code you pull in via SPM for unexpected network calls or data collection, and (4) be aware that suggestions/tokens examples assume you will implement data providers — avoid sending sensitive user queries to untrusted remote services. If you need higher assurance, review the package source or vendor contact history.

Review Dimensions

Purpose & Capability: okThe name and description match the included documentation files: all files describe a SwiftUI SearchBar package, its API, modifiers, and platform/version caveats. The only external resource referenced is the SPM URL (https://github.com/SzpakKamil/SearchBar.git), which is coherent for a Swift package. No unrelated binaries, credentials, or system access are requested.
Instruction Scope: okSKILL.md gives bounded guidance for answering developer questions (ask target platform, mention version requirements, provide code snippets, and point to reference docs). It does not instruct the agent to read local files, access environment variables, or exfiltrate data. The only external action suggested is adding the package via Swift Package Manager, which is expected for this kind of skill.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files that run on the agent. It tells users to add the package via SPM (GitHub). That will cause a normal repository fetch/build when added to a project, but the skill itself does not download or execute third-party code on the agent.
Credentials: okThe skill declares no required env vars, credentials, or config paths. Its examples imply user-side networking for suggestions (e.g., myDataService.search), which is normal and must be implemented by the developer — nothing in the skill asks for unrelated secrets or broad access.
Persistence & Privilege: okThe skill does not request persistent or elevated platform privileges; flags show always:false and normal agent invocation behavior. It does not modify other skills or system configuration.