Skillv1.0.1

ClawScan security

Faq Forge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 2:14 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: FAQ Forge appears to be a coherent, local CLI Python FAQ/knowledge-base tool: its code, docs, and runtime instructions align and it does not request credentials, external downloads, or hidden network access.
Guidance: This skill is internally consistent and appears to be a straightforward, local Python CLI tool. Before installing or running it: (1) Inspect the repository and README yourself (you already have the files). (2) Run it in an isolated project directory (not as root) so faq_data.json and backups are written where you expect. (3) Back up any important data and use Git if you want history (the tool stores a single JSON file). (4) Review generated HTML before publishing publicly (the docs mention adding Google Analytics manually; the shipped code does not add telemetry by default). (5) If you want extra assurance, run the included tests (test_demo.py) in a sandbox or review the full source for any network calls (none were evident in the provided files).

Review Dimensions

Purpose & Capability: okThe name/description (build, maintain, publish FAQ docs) matches the shipped scripts (faq_forge.py, faq_import.py, faq_publish.py, faq_templates.py). Required capabilities are local file I/O and HTML/Markdown generation — which are exactly what the code implements. Nothing in the manifest asks for unrelated cloud credentials or binaries.
Instruction Scope: okSKILL.md gives concrete CLI commands that operate on local files (adding entries, importing markdown, publishing static HTML/MD/TXT). The runtime instructions and included code reference only local files (faq_data.json, backups, input markdown) and local publishing. There are no instructions to read unrelated system state, call external endpoints, or exfiltrate data. The docs mention optional analytics (Google Analytics) as a manual enhancement, but the included code does not add network telemetry by default.
Install Mechanism: okNo install spec or external downloads; code is pure Python using the standard library per the README. This is low-risk — nothing is fetched from arbitrary URLs or written to nonstandard system locations by an installer. The SKILL.md suggests making scripts executable and running them directly.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. The code operates on local JSON files and optional backup directories described in config_example.json. There are no requests for unrelated secrets or credentials. Note: the tool will store FAQ content and backups on disk (faq_data.json and backup files); consider whether that local storage is acceptable for your data.
Persistence & Privilege: okalways:false and no special privileges are requested. The scripts write and back up a local JSON database and may create a backup directory; they do not modify other skills or global agent configuration. There is no daemon/service requested or requirement for permanent system-wide presence.