ClawHub
Back to skill
v0.1.0

Spec Miner

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:56 AM.

Analysis

Spec Miner is a coherent instruction-only code documentation skill, but users should be aware it can inspect project files, including configuration files, and has Bash available.

GuidanceThis skill appears safe for documenting a codebase, but use it only on projects you want analyzed. Review any proposed Bash command before allowing it, and instruct the agent to summarize configuration and security settings without copying secrets or tokens into the generated spec.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
allowed-tools: Read, Grep, Glob, Bash

The skill requests shell access in addition to read/search tools for a code archaeology task. This is disclosed and generally purpose-aligned, but Bash is broader than read-only repository inspection.

User impactThe agent may be able to run local shell commands while analyzing a project.
RecommendationUse it in repositories you intend to analyze and require explicit approval before any Bash command that changes files, runs project code, or accesses areas outside the target project.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
references/analysis-checklist.md
**Config** | Env files, config modules | `**/.env*`, `ConfigService`

The checklist includes environment/configuration file discovery. This is relevant to documenting a system, but such files can contain credentials, tokens, or deployment settings.

User impactSensitive configuration values could be encountered during analysis and may accidentally appear in generated documentation if not handled carefully.
RecommendationBefore use, tell the agent not to quote secret values from .env or config files, and review the generated specification for credentials before sharing it.