Skillv1.0.0

ClawScan security

Vvvv Fileformat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 3:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only reference for the .vl XML format and its requirements (IDs, elements, layout) are consistent with that purpose — it requests no credentials, installs, or external access.
Guidance: This is a read-only format reference and layout best-practices for vvvv .vl files — safe to install from an integrity standpoint. Before using: (1) be mindful if you let an agent edit real files — review changes before applying; (2) if the skill is later modified to include install steps, network endpoints, or requests for credentials, revoke it and re-evaluate; (3) if you need the agent to operate on private .vl files, ensure those files don't contain sensitive secrets before sharing them with the agent.

Purpose & Capability: okName and description match the SKILL.md, format-reference.md, and best-practices.md files. All declared/required resources are empty (no env vars, binaries, or config paths), which is appropriate for a pure documentation/reference skill.
Instruction Scope: okSKILL.md contains prescriptive guidance about generating, parsing, and organizing .vl XML files. It does not instruct the agent to read arbitrary system files, call external endpoints, or access credentials — scope stays within the documented file-format tasks.
Install Mechanism: okNo install spec or code is provided (instruction-only). Nothing will be downloaded or written to disk by an installer, which is proportionate for a documentation skill.
Credentials: okThe skill declares no environment variables, credentials, or config paths. There is no disproportionate request for secrets or unrelated service keys.
Persistence & Privilege: okFlags show the skill is user-invocable and not always-enabled. It does not request persistent system-wide privileges or to modify other skills' configs.