Spec Miner
PassAudited by ClawScan on May 1, 2026.
Overview
Spec Miner is a coherent instruction-only code documentation skill, but users should be aware it can inspect project files, including configuration files, and has Bash available.
This skill appears safe for documenting a codebase, but use it only on projects you want analyzed. Review any proposed Bash command before allowing it, and instruct the agent to summarize configuration and security settings without copying secrets or tokens into the generated spec.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to run local shell commands while analyzing a project.
The skill requests shell access in addition to read/search tools for a code archaeology task. This is disclosed and generally purpose-aligned, but Bash is broader than read-only repository inspection.
allowed-tools: Read, Grep, Glob, Bash
Use it in repositories you intend to analyze and require explicit approval before any Bash command that changes files, runs project code, or accesses areas outside the target project.
Sensitive configuration values could be encountered during analysis and may accidentally appear in generated documentation if not handled carefully.
The checklist includes environment/configuration file discovery. This is relevant to documenting a system, but such files can contain credentials, tokens, or deployment settings.
**Config** | Env files, config modules | `**/.env*`, `ConfigService`
Before use, tell the agent not to quote secret values from .env or config files, and review the generated specification for credentials before sharing it.