Skillv2.0.0

ClawScan security

Graph Of Thoughts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 1:53 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a Graph-of-Thoughts reasoning tool; nothing requests unrelated credentials or strange installs, but the provided wrapper references a missing implementation file and a few small implementation bugs that should be checked before use.
Guidance: This skill is coherent with its stated purpose and does not request credentials or perform installs. Before installing or enabling it for autonomous use: 1) note that unified_wrapper.py tries to import 'graph_of_thoughts.py' from the package root but that file is not present in the provided manifest — the wrapper will fail to load the original implementation unless that file is supplied; 2) the SKILL.md and integration docs assume the skill can write session summaries (memory/got-sessions.md) and run test scripts — confirm whether writing to agent memory/storage and test-script execution are acceptable; 3) small code issues (unreachable return in can_handle, basic error handling) look like benign bugs but review the original implementation if you get it. If you require network or file-write restrictions, ensure the agent's runtime enforces those, and ask the skill author for the missing implementation file and a test-run log before giving it broader privileges.

Review Dimensions

Purpose & Capability: okThe name/description (Graph of Thoughts reasoning) matches the included SKILL.md, examples, integration docs, and code. Examples and integration points align with a multi-path reasoning/synthesis tool; there are no environment variables, binaries, or credentials required that are unrelated to the stated purpose.
Instruction Scope: noteSKILL.md focuses on generating/evaluating/composing thought paths and contains examples, tests, and integration guidance that stay within the skill's scope. It references storing session learnings (memory.store / memory/got-sessions.md) and running test scripts (pwsh skills/.../run-tests.ps1). These are plausible for a reasoning skill but imply the skill or integrator may write session data to the agent's memory/storage — review storage policies if that is a concern.
Install Mechanism: okNo install spec is provided (instruction-only), so nothing will be downloaded or installed on the host. This is the lowest-risk model and matches the SKILL.md content.
Credentials: okThe skill does not request any environment variables, credentials, or config paths. SKILL.md and code do not instruct the agent to read unrelated secrets or external service tokens.
Persistence & Privilege: okThe skill is not marked 'always' and uses normal autonomous invocation defaults. It does reference writing session learnings (memory.store) in integration docs, which is a reasonable feature for a reasoning skill but should be allowed/monitored per your agent's memory policy.