Back to skill
Skillv1.0.0
ClawScan security
Technical Deep Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 5:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only methodology skill for conducting technical deep-dive analyses; its files and runtime instructions are consistent with that purpose and it does not request credentials, installs, or perform suspicious operations.
- Guidance
- This skill appears to be a benign, self-contained methodology and templates for writing technical analyses. Before enabling it, note: (1) it is instruction-only and requests no credentials, so platform risk is low; (2) review templates to ensure you are not asked to paste any sensitive internal data into generated reports; (3) if the skill is later updated to include install steps or requests for API keys/config paths, reassess — those would change the risk profile; (4) allow only trusted agents to run the skill autonomously if you have concerns about automated report generation using internal data.
Review Dimensions
- Purpose & Capability
- okName and description describe a methodology for technical analysis and all included artifacts (SKILL.md, templates, checklist) align with that purpose; nothing in the package asks for unrelated capabilities or external credentials.
- Instruction Scope
- okSKILL.md contains structured, prescriptive steps, templates, and checklists for analysis. It does not instruct the agent to read arbitrary local files, access environment variables, call unknown endpoints, or exfiltrate data—its scope is limited to producing analysis output and sourcing external references (e.g., public docs).
- Install Mechanism
- okNo install spec and no code files that execute — instruction-only. package.json exists but points to SKILL.md; nothing will be downloaded or executed during install, so install risk is minimal.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config-path access. The templates and instructions reference public sources as examples only; there is no disproportionate request for secrets or unrelated tokens.
- Persistence & Privilege
- okSkill does not request always: true and does not include install scripts or self-modifying behavior. It is user-invocable and follows the platform default for autonomous invocation, which is expected for skills.