Skillv1.0.1

ClawScan security

Vvvv Debugging · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 3:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only skill that coherently documents how to generate VS Code debugging configurations for vvvv gamma C# projects; it reads local workspace and common install paths but requests no credentials, binaries, or installs.
Guidance: This skill is an instruction-only helper for creating VS Code debug configs for vvvv and appears internally consistent. Before using it: (1) Review and confirm any detected vvvv installation path it proposes (it looks under Program Files and may not find custom installs). (2) Approve the AskUserQuestion prompts it will present — the skill says to ask all configuration questions before writing files. (3) Inspect generated .vscode/launch.json and tasks.json before launching, especially if you enable --package-repositories or --editable-packages (these can trigger full recompilation of core libraries and long build times). (4) Note it will read your repository file tree (including git submodules) to determine package names and patches; this is expected but you should be comfortable granting read access to the project files.

Review Dimensions

Purpose & Capability: okThe skill's name and description (vvvv debugging / generate launch.json and tasks.json, attach debugger) match the SKILL.md content. All requested actions (scanning the workspace, locating vvvv.exe, creating/merging .vscode configs, asking the user for flags) are appropriate for a debugging setup helper. There are no unrelated credential or external service requirements.
Instruction Scope: noteInstructions direct the agent to scan the local workspace (csproj/sln/vl files, help/ folders, .vscode) and to search common installation path(s) under C:\Program Files for vvvv. That is expected for this purpose, but the doc also suggests inspecting git submodules and repository package names — which means the agent will read repository metadata and file structure. This is reasonable for building correct launch args, but users should be aware the skill expects access to their project files and Program Files. The example command uses a Unix-like ls variant on a Windows path (/c/Program Files) which is a minor platform inconsistency but not a security issue.
Install Mechanism: okNo install spec and no code files are present; the skill is instruction-only. Nothing will be written to disk by an installer. This is the lowest-risk install profile.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The instructions reference only local file system locations and workspace metadata which are proportionate to generating debugging configurations. No secrets or external tokens are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent installation, modify other skills, or claim system-wide privileges. Autonomous invocation is allowed by default but there are no additional privileges requested that would increase risk.