Skillv1.0.0

ClawScan security

Arxiv Gamedevbench Evaluating Agentic Capabili · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 15, 2026, 3:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an auto-generated Node.js scaffold that matches its description (a runnable paper-based scaffold); it requests only the node binary and contains no network calls, secret access, or surprising install steps.
Guidance: This skill appears coherent and low-risk: it’s an auto-generated Node.js scaffold that only prints a paper summary and a TODO. Before running, inspect the bundled files (already included) to confirm there are no added network calls or secret reads. Execute in a sandbox or isolated environment if you want additional caution. If you plan to extend the scaffold, review package.json before adding dependencies and avoid running it with elevated privileges.

Purpose & Capability: okName/description claim Node.js scaffolding for the GameDevBench paper and the skill only requires the node binary; included files (index.js, scripts/run.js, package.json, paper.json) are consistent with that purpose.
Instruction Scope: okSKILL.md instructs running scripts/run.js. The included run.js only logs metadata and a truncated abstract; there are no instructions to read unrelated files, access environment variables, or send data to external endpoints.
Install Mechanism: okNo install spec provided (instruction-only). There are local code files bundled, but no downloads, package installs, or extract steps. package.json has no dependencies, so nothing is pulled at runtime beyond node.
Credentials: okThe skill declares no required environment variables or credentials and the code does not access process.env; requested privileges are minimal and appropriate for a local Node.js scaffold.
Persistence & Privilege: okalways is false and the skill does not persist configuration or modify other skills/system settings. It only exposes a main() that prints to stdout.