Back to skill
Skillv0.1.0
ClawScan security
Wasm Spa Autofix React Imports · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 23, 2026, 9:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill’s requested inputs and instructions are consistent with a tool that analyzes a project and proposes/creates import fixes for React/TSX files; nothing required or instructed is disproportionate to that purpose.
- Guidance
- This skill appears to do exactly what it says: read the project (under the projectRoot you supply), detect missing/incorrect imports, and propose or apply patches. To reduce risk: run first with dryRun:true and review unified diffs before applying; supply a specific projectRoot that limits file access (not system root); avoid giving it access to repositories containing secrets; confirm patches to build/config files (tsconfig, entry file) manually if you’re unsure; and only enable autonomous invocation if you trust the runtime to make safe edits. If you need higher assurance, request a copy of the exact patch output before applying or run the fixes inside an isolated CI job/repository clone.
Review Dimensions
- Purpose & Capability
- okThe name/description (auto-fix React imports in a WASM SPA preview pipeline) matches the declared inputs (projectRoot, filePath, fileContents, bundlerLogs, knownLibraries) and the described behavior (search codebase, infer missing imports, produce patches). No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteThe SKILL.md explicitly instructs the agent to read additional project files (barrel files, tsconfig, sibling components) and to edit files (imports, entry file, tsconfig) when needed. That is coherent for the stated purpose, but it means the agent will inspect and modify arbitrary project files under the provided projectRoot — review patches before applying and prefer dryRun for review.
- Install Mechanism
- okInstruction-only skill with no install spec or code files. No downloads or external package installs are requested, so there is no install-time risk.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths beyond the project path inputs. Requested access is proportional to locating imports and making source edits.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) or system-wide config changes. It may modify project files within the provided projectRoot, which is expected behavior for a code-fixing tool.