Skillv0.1.2

ClawScan security

avatar-generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 21, 2026, 6:31 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent for generating SVG avatars via a pinned npm package; no unrelated credentials, installs, or surprising behaviors are requested, though there are small documentation/instruction inconsistencies and the usual supply-chain caveats around running an npm package via npx.
Guidance: This skill appears to be what it claims: a small, deterministic avatar generator that runs a pinned npm package and a tiny local preview script. Before installing, consider: 1) review the npm package @bitmappunks/avatar-generator@0.0.5 on the registry (its code and any install scripts) because npx will fetch and run third‑party code; pinning reduces but does not remove supply‑chain risk; 2) decide whether you prefer the SKILL.md behavior (auto‑use timestamp when seed omitted) or the commands file behavior (prompt user) and ensure your agent enforces the desired flow; 3) if you’re concerned about executing remote code, run the skill in a sandboxed environment or audit the package contents first; and 4) be aware npx -y auto‑accepts installation prompts — if you want manual consent, remove -y or run the package after reviewing it.

Review Dimensions

Purpose & Capability: okThe skill claims to generate deterministic SVG avatars and does exactly that: it runs a pinned npm package via npx and includes a small terminal preview script. Declared runtime requirements (node, npx) match the stated purpose, and there are no unrelated env vars, binaries, or config paths requested.
Instruction Scope: noteThe SKILL.md instructions stay within avatar generation and file output/preview. There is a minor inconsistency: SKILL.md says seed is optional and defaults to the current Unix timestamp, while commands/gen-avatar.md explicitly requires prompting the user if the seed is omitted. Also the preview script reads the generated SVG from a user-supplied path (intended behavior) — be aware the file path comes from the user/agent context.
Install Mechanism: noteNo install spec is bundled; the skill runs @bitmappunks/avatar-generator@0.0.5 via npx. Version pinning is good for determinism. Running npx will download and execute third‑party package code (including any npm install/postinstall scripts) from the registry; this is expected for an npm-backed skill but is a general supply-chain risk to consider.
Credentials: okThe skill requests no environment variables, credentials, or config paths. This is proportionate to its stated purpose.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence or modify other skills' configs. Autonomous invocation is allowed by default but not combined with any broad privileges here.