Skillv1.0.0

ClawScan security

Code Project Auto Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 5:42 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose: it reads a local project directory, summarizes tech stack/structure, and writes a Markdown report; it does not request credentials, perform network calls, or install external binaries.
Guidance: This skill appears coherent and implements exactly what it claims: scanning a local project directory and producing a Markdown introduction. Before installing or running it, consider: (1) it requires Node.js and filesystem read/write access — avoid pointing it at sensitive system or credential directories; (2) the README suggests cloning from a third‑party Git host (gitcode.com) — verify the source and integrity of the repository you install; (3) review the included index.js (present here) yourself if you have concerns — it performs only reads/writes and contains no network calls or shell execution. If you want extra caution, run it on a copy of the repository or in an isolated environment.

Review Dimensions

Purpose & Capability: okName/description claim to analyze local code projects and produce documentation, and the included index.js implements exactly that: scanning files, detecting common manifest files, summarizing directories, and generating a Markdown report. No unrelated credentials, remote APIs, or unrelated binaries are requested.
Instruction Scope: okSKILL.md instructs the agent to scan a specified local path and generate a doc. The implementation only reads project files (package.json, README.md, manifests) and directory entries (skips node_modules/venv and dotfiles), limits recursion depth, and optionally writes an output file. It does not instruct the agent to read unrelated system files, environment variables, or transmit data externally.
Install Mechanism: okThere is no automated install spec in the registry entry (instruction-only skill). README suggests cloning from a Git host, but that is a user-facing install hint rather than an automated download step. No archives or remote installers are executed by the skill itself.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The code only needs local filesystem access (Node.js runtime), which is proportionate to the stated functionality.
Persistence & Privilege: okSkill flags show default behavior (always: false) and allow user invocation. It does not request permanent presence, nor does it modify other skills or system-wide settings. Autonomous invocation is allowed by platform default but is not combined with other red flags here.