Back to skill
Skillv1.0.0
ClawScan security
SkillTree Learning Progress Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 11:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: a local, file-backed learning progress tracker with no network access or credential requirements.
- Guidance
- This skill appears to do what it says: it stores progress locally in a JSON file (./skill-tree.json by default) and offers suggestions. Before installing or using it: 1) Review or run the src/skill-tree.js code in a sandbox to confirm behavior; 2) Back up any existing ./skill-tree.json (the default filename could overwrite an existing file); 3) Consider running the skill from a dedicated directory or change options.dataFile to a safe path; 4) Note that save errors are silently ignored in the code (catch blocks are empty), so test saving/loading to ensure your data is persisted; 5) No network or credentials are requested, so there is low exfiltration risk—but if you modify the skill, re-review any added network or credential access. Overall, the package is coherent and proportionate to its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, README, and src/skill-tree.js all align: the skill is a local skill-tree tracker that stores progress in a JSON file and provides suggestions/metrics. It does not request unrelated credentials or binaries.
- Instruction Scope
- okSKILL.md instructs local usage and the code reads/writes a local JSON data file (default ./skill-tree.json). There are no instructions to read arbitrary system files, access network endpoints, or exfiltrate data. The disclaimer in SKILL.md matches the implementation claiming local storage only.
- Install Mechanism
- okNo install spec; the skill is instruction + a small Node.js module. No downloads, package installs, or archive extraction are present in the bundle.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths, and the code only uses the Node fs module to read/write a local path. Requested permissions are proportionate to a local progress tracker.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide configs. It persists only to a user-accessible JSON file (default ./skill-tree.json).