Back to skill
Skillv1.0.1
ClawScan security
Context Slim · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 6:37 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: a local, dependency-free CLI tool that heuristically estimates token usage, suggests compressions, and generates offline HTML reports.
- Guidance
- This package appears coherent and local-only: it reads text, runs heuristics, and writes local reports. It intentionally uses approximate token estimation (10–15% error) — do not rely on it for billing or strict SLAs. As with any third‑party script, inspect the full source before running (you already have it), and if you want added assurance run it in a sandbox or VM. If you plan to feed sensitive prompts into the tool, verify there are no unexpected network calls in the full code (none are visible in the provided snippets). If you need exact token counts for billing/compliance, use the provider's official tokenizer instead.
Review Dimensions
- Purpose & Capability
- okName/description (context token profiling and compression) match the provided code and CLI instructions. Required resources are minimal and appropriate (stdlib-only Python scripts). No unrelated credentials, binaries, or services are requested.
- Instruction Scope
- okSKILL.md and CLI examples instruct only local analysis of files or stdin and producing local output (text/json/HTML). The included code reads files, analyzes strings, and writes reports — behavior that aligns with the stated purpose. The README/LIMITATIONS accurately call out limitations (estimates only, no live monitoring).
- Install Mechanism
- noteThere is no install spec (instruction-only), but the package includes runnable Python scripts. That is reasonable for a CLI utility; nothing indicates hidden installers, external downloads, or archive extraction. Users should still run the scripts in a controlled environment if they want extra assurance.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The code samples and config_example.py show only local configuration (provider/model heuristics, thresholds). No access to unrelated secrets or external services is requested.
- Persistence & Privilege
- okSkill flags show default privileges (not always: true). It does not request persistent system-wide changes, nor does it attempt to modify other skills or agent configuration. It runs as a local CLI/library.