Skillv1.0.1

ClawScan security

Microsoft Code Reference · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 1:39 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This instruction-only skill is coherent with its stated purpose—it directs lookups against Microsoft Learn (MCP) and a documented CLI fallback and requests no unrelated credentials or installs.
Guidance: This skill is instruction-only and appears to do what it says: query Microsoft Learn and return code samples. Before using it, note three practical points: (1) it requires network access to Microsoft Learn and (if you use the fallback) to npm; (2) running npx @microsoft/learn-cli will fetch and execute a package from the npm registry on-demand—verify the package name (@microsoft/learn-cli is the documented package) or avoid global installs if you prefer; and (3) queries you send (including code snippets you paste) will be transmitted to the remote documentation/search service, so avoid sending sensitive secrets. Otherwise, the skill makes no disproportionate demands and requests no credentials.

Review Dimensions

Purpose & Capability: okThe name/description (Microsoft API reference, code samples, SDK verification) match the SKILL.md instructions which call the Microsoft Learn MCP endpoints and the mslearn CLI. No unrelated credentials, binaries, or config paths are required.
Instruction Scope: okRuntime instructions stay focused on searching docs, fetching pages, and retrieving code samples via microsoft_docs_search / microsoft_code_sample_search / microsoft_docs_fetch or the mslearn CLI. There are no directives to read arbitrary local files, access unrelated env vars, or send data to endpoints outside the documented Microsoft Learn API / npm registry fallback. Note: using the CLI or service implies network requests and that queries (including short code snippets) will be sent to external services for search.
Install Mechanism: okThere is no install spec (instruction-only). The SKILL.md suggests using npx or optionally installing the official @microsoft/learn-cli from npm as a fallback; this is a reasonable, proportionate fallback but does involve downloading code from the npm registry if used.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That matches the described functionality (public documentation lookups). No excessive secrets or unrelated service keys are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent/privileged presence or modify other skills or system-wide settings. It does not ask to store tokens or change agent config.