Skillv1.0.1

ClawScan security

Microsoft Skill Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 1:39 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only authoring template for building Microsoft-focused agent skills that is internally consistent with its stated purpose and requests no unexplained credentials or system access.
Guidance: This is an authoring template for creating Microsoft-tech agent skills and appears coherent. Before using: (1) verify the Learn MCP endpoints/CLI you call are the official Microsoft packages (the SKILL.md references https://learn.microsoft.com/api/mcp and @microsoft/learn-cli), (2) avoid running global npm installs from unverified environments — prefer npx or pin exact package versions, (3) inspect any generated skill (especially ones that provision Azure resources) for code that would require cloud credentials or perform network operations, and (4) if you plan to let agents invoke this autonomously, review generated artifacts and any CLI commands they will run to ensure no unexpected network installs or sensitive-data access occur.

Review Dimensions

Purpose & Capability: okName, description, and all instructions align: the SKILL.md guides creation of skills for Microsoft technologies and references Learn MCP tooling (and a documented CLI fallback). It does not request unrelated binaries, env vars, or access.
Instruction Scope: okInstructions stay within the task: they describe investigation phases, content to store locally, and how to use microsoft_docs_search / fetch / code_sample_search or mslearn CLI as fallback. They ask the agent to generate skill files (SKILL.md, references/, sample_codes/) but do not instruct reading unrelated system files, environment secrets, or exfiltrating data.
Install Mechanism: noteThere is no install spec (instruction-only). The SKILL.md suggests using the mslearn CLI via npx or npm (e.g., npx @microsoft/learn-cli or npm install -g @microsoft/learn-cli). That is a normal fallback but implies network package downloads and code execution when run—users should verify the CLI package source before running installs.
Credentials: okThe skill itself requires no environment variables, credentials, or config paths. Templates note domain-appropriate prerequisites (e.g., 'Azure subscription' for Azure services), which is reasonable — but generated Azure-focused skills may then legitimately request cloud credentials, so review those generated skills separately.
Persistence & Privilege: okThe skill is not marked always:true and is instruction-only, so it does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings.