Skillv1.0.0

ClawScan security

Generic Quality Gateways for Unattended Agent Development · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 24, 2026, 3:49 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are consistent with a repository-quality-gates tool: it reads repo/CI artifacts, writes reports into repo paths, and does not request unrelated credentials or install binaries.
Guidance: This instruction-only skill appears coherent for repository quality gating, but review these points before installing: - It will read repository files, CI artifacts, and git history to collect evidence—run it only on repositories you trust or in a sandbox/copy if you have sensitive data. - It will create report and evidence files inside the repository (default paths under docs/quality and .tmp). Ensure the agent does not have unwanted push/commit permissions if you don't want persistent changes. - Because the skill performs secret-detection and scans, it may surface file paths or fingerprints of sensitive files; do not assume it will redact everything—validate outputs. - Inspect and, if needed, customize the .defs/quality-gateway-definition.json template to set thresholds and blocking behavior appropriate to your org before use. - If you require stronger assurance, run the skill against a cloned repository in an isolated environment and review generated reports and any agent actions before granting broader access.

Review Dimensions

Purpose & Capability: okName/description (generic quality gates for repos/CI) align with the actual requirements: the skill is instruction-only, operates on repository files and optional CI artifacts, and uses a repository-stored JSON config (.defs/quality-gateway-definition.json). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md instructs the agent to read repo contents, CI artifacts, test/coverage/vulnerability reports, and git history and to write report and evidence files into repo paths. This is expected for the stated purpose, but it does mean the agent will access potentially sensitive repository data (including history and artifact files) and will create files in the repository. Confirm that you want scans on full repo history and that report-writing behavior is acceptable.
Install Mechanism: okNo install spec and no code files requiring runtime installation. Instruction-only skills are lowest-risk from an install perspective because nothing is downloaded or executed from external URLs by the skill itself.
Credentials: okThe skill declares no required environment variables, credentials, or system config paths. The inputs described (REPO_ROOT, optional CI artifact path, commit range) are proportional to its stated function. There are no unexplained requests for tokens, keys, or external service credentials.
Persistence & Privilege: notealways:false and model-invocation defaults are normal. The skill requires writing reports and evidence into repository paths (temp and docs directories). Writing into the repository is within scope but is persistent and could modify repo state; verify agent permissions and whether the agent will commit/push those files.