Back to skill
Skillv1.0.1
ClawScan security
Component Api Design · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 6:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that gives guidelines and templates for designing React/Vue component APIs; its requirements and instructions are consistent with that purpose and it does not request credentials, installs, or system access.
- Guidance
- This skill is instruction-only and appears safe to install: it only provides design guidance and templates for React/Vue components. Before using, keep in mind: (1) review any code snippets the skill produces before copying into a codebase; (2) do not paste sensitive secrets or proprietary code into prompts if you don't want them processed by the model; (3) check the README/homepage link if you want attribution or licensing details (this package references a GitHub URL in metadata); (4) autonomous invocation is allowed by default on the platform — if you want the agent to only run this skill when asked, use the platform's skill permission controls.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md contains component API design guidance, templates, and decision rules. No unrelated resources, credentials, or binaries are requested.
- Instruction Scope
- okInstructions are focused on component design decisions (props, events, file layout, examples). They do not instruct reading files, accessing environment variables, network endpoints, or system state beyond producing design text.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing is written to disk or downloaded as part of installation.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. There are no disproportionate secret or system access requests.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent presence or modify other skills or system settings. Autonomous invocation is enabled by default but is typical and not combined with other red flags.